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(57) ABSTRACT 

The invention disclosed herein enables a collection of com- 
puters and associated communications infrasUiicture to offer 
a new communications process which allows information 
providers to broadcast information to a population of infor- 
mation consumers. The information may be targeted to those 
consumers who have a precisely formulated need for the 
information. This targeting may be based on information 
which is inaccessible to other communications protocols. 
The targeting also includes a time element. Information can 
be brought to the attention of the consumer precisely when 
it has become applicable, which may occur immediately 
upon receipt of the message, but may also occur long after 
the message arrives. The commainications process may 
operate without intruding on consumers who do not exhibit 
the precisely-specified aeed for the information, and it may 
operate without compromising the security or privacy of the 
consumers who participate. 
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METHOD AND APPARATUS FOR consumer are changing with time. The consumer would 

COMPUTED RELEVANCE MESSAGING prefer not to have to track changes continuaUy in his own 

status and the status of the information providers offerings. 

This application claims benefit to U.S. provisional No. He would also prefer not to have to remember that pieces of 

60/098,798 filed Sep. 1, 1998. s information published some time before could have sud- 

BACKGROUND OF THE INVENTION ^^BI^ ^^^^ applicable. 

The consumer wouJd prefer that a procedure be available 

1 . Technical Field for automatically detecting the existence of applicable infor- 

Hie invention relates to a new process of communication mation as it became appHcable, either because the consum- 

using computers and associated communications infrastruc- jq er's situation had changed, because the information provid- 

turc. More particularly, the invention relates to a method and er's offerings had changed, or because the conditions for 

apparatus for computed relevance messaging. applicability of the information involved time consider- 

. 2. Description of the Prior Art ations which had become applicable. The consumer would 

The aim of a communications process is to relay infor- prefer not to reveal to the provider information about his 

mation between pairs of actors who, for purposes of the 15 identity or the details of his interests, preferences, and 

discussion herein, consist of an information provider and an possessions. Rather, the consumer would prefer to receive 

information consumer. The following briefly discusses the information in a form where he may carefully study it before 

concerns of each party. using it. 

Concerns of Information Provider The consumer would also prefer to have a method to 
The information provider knows of pieces of information 20 inform himself about known problems with an information 
and of corresponding situations in which certain consumers provider or with a certain piece of information before using 
would find those pieces of information interesting, useful, or the information. Typically, the consumer would prefer that if 
valuable. For example, such pieces of information may the decision to use a piece of information is made, the 
concern problems consumers who have particular attributes application of the information is painless and essentially 
might be interested in solving or that concern opportunities is automatic. The consumer would prefer to be insulated from 
of interest to consumers having such particular attributes. the prospect of damage caused by incorrect information. 
The provider wishes to distribute the information to those It would therefore be advantageous to provide a commu- 
consumers in those specific situations. nications technique that addressed each of the above con- 
In principle, an information provider might know of cerns with regard to both the information provider and the 
thousands or millions of conditions about which it can offer 30 information consxmier. 
information. The audience for such conditions might involve 

thousands or milhons of consumers. SUMMARY OF THE INVENTION 

Aparticularly interesting situation is where a typical piece ^^^^^^^^ disclosed herein enables a collection of 

of mformation should be directed only to consumers having computers and associated communications infrastructure to 

averyspecial combination of circurnstances.Atypicalpi^^ 35 ^^^^ ^ communications process. Hiis process aUows 

of mformation would lo prmciple be of interest to only a ^.fonnation providers to broadcast information to a popu- 

small fracUon of the consumer base, but where this small ^^^.^^ information consumers. The information may be 

fraction nevertheless amounts to large number of consum- ^^^^^^^ jjiose consumers who have a precisely formu- 

. L . lated need for the information. This targeting may be based 

Achallengmg but very unportant case occurs when ven- 40 i^^formation which is inaccessible to other communica- 

fying when the conditions for applicabihty of a certain piece ^^^^ protocols, for example because under other protocols 

of information reqmres knowing a great deal of detailed ^j^^ ^^^^ ^^^^^ ^^^^ .^^^ ^^^^^ 

information about the consumer, his concerns and sensitive information, or because mider other protocols the 

affiliations, or his property. This infonnaUon might be con- ^^ ^^^ ^^^^^ ^^^^ -^^^ ^^^^^ 

sidered very sensiUve by consumers, who would not want to 45 ^^^^^ obtainable only after extensive calculations using 

parucipate m a proce^ that required disclosure of the ^^^^ ^^^^^^^^ -^^^^^^ knowledge of the con- 

mformation to Uie provider. Therefore, it might seem impos- ^^^^ computer, its contents, and local environment, 

sible to target the information to consumers because only the ^ ^. . , 

consumers have access to the intonnation required to make Th* targeting also includes a lime element. InformaUon 

the deteraiination that the information applies to them, and 50 '>™"Sh' '° P'^^'^'y 

they are unwilling to expend the effort to make a determi- ^''^f " become apphcable, which may occur .mmedi- 

nation themselves, or to give others access to the sensitive ''^ly "P°° °f f^* "^^^^g'- ^y* also occur long 

information required lo make the determination on their the message arrives. Agam, this is a feature inacces- 

behalf under other communication protocols, where the time 

Concerns of Information Consumer 55 «f ^^^^^^^ri of information and the time of consumer 

The consumer is an individual or organization that knows notificaUon are closely linked, 

of information providers who have information of potential The communications process may operate without intmd- 

benefit to them. The consumer may in fact know of tens or ing on consumers who do not exhibit the precisely-specified 

hundreds of such providers. Typically, at any given moment, need for the information, and it may operate without com- 

only a small fi-action of the information being offered by the 60 promising the security or privacy of the consumers who 

information provider is of potential interest to the consumer. participate. For example, in one implementation, the infor- 

The consumer does not want to review all the information mation provider does not learn the identity or attributes of 

available fi-om the information provider. He would prefer to the individuals who receive this information, 

see the subset consisting of information, which is relevant to This process enables efficient solutions to a variety of 

the consumer, 65 problems in modem life, including the automated technical 

Typically, the information which the provider is offering support of modem computers. In the technical support 

changes with time and the conditions experienced by the application, the disclosed invention allows a provider to 
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reach precisely those specific computers Id a large consumer Advice readers following an advice gathering protocol, 

population which exhibit a specific combination of referred to herein as Anonymous Exhaustive Update 

hardware, software, system settings, data, and local Protocol, may operate in a manner which fully respects the 

environment, and to offer the users of those computers privacy of the computer's owner. Information resulting from 

appropriate remedies to correct problems known to affect $ the relevance determination, i.e. information obtained from 

computers in such situations. the constmier computer, does not leak out to the server. 

The presently preferred embodiment of the invention is Information on the consumer computer stays on the con- 

speciaUy tuned to address the concerns of consumers and g^^j computer unless the consumer approves its distribu- 

providers in a technical support application. Many other j^q^ 

interesting appKcations areas and embodiments of the inven- variations on this specific embodiment are 

tion are also described herem. described in detail, including variations which have very 

This particular embodiment of the invention is described different appKcations, very different message formats, very 

as Eouows, different gathering protocols, very different security and 

Actors, referred to herein as advice providers, author privacy attributes, very different methods of describing the 

advisories, which are specially structured digital documents ^5 consumers to whom a message may be relevant, and very 

which may contam: different trust relationships between consumer and provider 

(1) Humanly-interpretable content, such as text and mul- (e.g. master-slave relationships). The disclosed invention is 
timedia; shown to be capable of effective embodiment in all these 

(2) Computer-interpretable content, such as executable settings, 
programs and data; and 20 

(3) Expressions in a special computer language called the BRIEF DESCRIPTION OF THE DRAWINGS 
relevance language. Pjq ^^^^^^ diagram showing the process of match- 

The relevance language descnbes precise conditions advisories to consumers according to the invention; 

under which a given advisory may be relevant to a *. tiii. j- 

. £ • * r *u • * f , FIG. 2 IS a block diagram showmg an advisor viewpomt 

consumer, by referring to properties of the environment of 25 . ...... ^ ^ 

^, i ■ * 41. u according to the invention; 

the consumer computer mterpreting the message, such as ^ ' 

system configuration, file system contents, attached FIG. 3 is a block diagram showing a consumer viewpoint 

peripherals, or remotely accessible data. The humanly- according to the invention; 

interpretable content in an advisory may describe the con- FIG. 4 is a flow diagram showing a technical support 
dition that triggered the relevance determination and pro- 30 apphcation according to the invention; 
pose an action in response to the condition, which could piG. 5 is a block diagram showing an advice site accord- 
range from installing software to changing system settings to ing to the invention; 

purchasing information or software. The computer- ^ ^ ^ ^^^.j^ diagram showing an advice reader 

interpretable content may include software which performs according to the invention; 

a certain computation or effects a certain change in the 35 „_ _ . , . , . • 

s stem enviiDnmcnt 7 is a block diagram showmg consumer response to 

. • • ' -.ji. *rui *- / relevance notification according to the invention; 

Advisones are commumcated by a process of pubhcation/ * 

subscription over a wide-area network such as the Internet. FIG. 8 is a data structure showing an advisory according 

Advisories are placed by their authors at well-known mvention; 

locations, referred to herein as advice sites. Applications 40 FIG. 9 is a block diagram showing the process of rel- 
referred to as advice readers running on the computers of evance evaluation according to the invention; 
advice consumers periodically obtain advisories from advice pjQ^ 10 is a flow diagram showing expression tree gen- 
servers which operate at advice sites. eration according to the invention; 

Advice readers process the messages so obtained and ^ y^y^^y. diagram showing named property 

automatically interpret the relevance clauses. Tliey deter- 45 ^^^^^ dispatch according to the invention; 

mine whether a given message is relevant in the environ- _ ..^ 

. J c J i_ J * J • * A FIG. 12 is a flow diagram aiowmg an object evaluation 

ment defined by the consumer s computer and associated j- . *i_ • ** 

, . ™_ . *c J I,' u model accordmg to the mvention; 

devices. The user is then notified of those messages which * ' 

are relevant, and the user may read the relevant advisories FIG. 13 is a flow diagram showing an object hierarchy 

and invoke the recommended actions. 50 according to the invention; 

Relevance evaluation is conducted by parsing relevance FIG. 14 is a flow diagram showing a new component of 

language clauses into constituent method dispatches. These an object hierarchy according to the invention; 

clauses invoke specific inspectors which can return specific FIG. 15 is a data structure showing the contents of an 

properties of the computer, its configuration, its file system, inspector library according to the invention; 

or other component of interest. In effect, the list of properties 55 piG. 16 is a block diagram showing situational advice 

of the environment which may be referred to in the relevance according to the invention; 

language and verified by the advice reader is determined by pj^. ^ ^ ^^^^ diagram showing simulated conditions 

the contents of the inspector Kbrary mstalled at run-tune. according to the invention; 

The existence of standard inspector libraries provides the - liij- i_ • j* — 1* 

J . .. . , r J *i. FIG. 18 is a block diagram showmg a commodity market 

advice provider with a rich vocabulary for descnbmg the 60 j- . .1. • 

^ , , J •* • * T according to the mvenUon; 

state of the consumer computer and its envu:onment. In one * . , . . 

implementation, the coUection of inspector libraries can be FIG. 19 is a flow dia^am showmg a relevance-adapted 

dynamicaUy expanded by advice providers. document accordmg to the mvention; 

Advice readers operate continually in an automatic mode, FIG. 20 is a flow diagram showing questionnaire process- 
gathering advice from many advice providers distributed 65 ing according to the invention; 

across public networks such as the Internet, and diagnosing FIG. 21 is a flow diagram showing a mandatory feedback 

relevance as it occurs. variant according to the invention; 
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FIG. 22 is a flow diagram showing a consumer feedback 
variant according to the invention; 

FIG. 23 is a flow diagram showing masked bidirectional 
communication by an anonymous server according to the 
invention; s 

FIG. 24 is a flow diagram showing a further mandatory 
advice variant according to the invention; and 

FIG. 25 is a block diagram showing remove relevance 
invocation according to the invention, 

DETAILED DESCRIPTION OF THE 
INVENnON 

The invention implements a process of communication 
which systematically solves the problem of linking an 
information provider to information consumer. The inven- 
tion provides a system which depends on the use of com- 
putational devices connected by communications networks. 
In actual practice, these devices could range from traditional 
large-scale computers to personal computers to handheld 
personal information managers to embedded computational 
devices in the ambient, environment, including consumer 
appliances such as remote controls and smart TVs, or other 
common computationally-dense environments, such as 
transportation vehicles. The communications mechanisms ^ 
could include a modem or other wired media, or wireless 
communications, using the Internet or other protocols, and 
could include the physical distribution of media. Whatever 
the specific instance, for purposes of the discussion herein, 
the computational device shall be referred to as a computer 
and the communications in&astnicture shall be referred to as 
a network. Typical examples of such infrastructure include 
intranets (private computer networks), and the Internet, the 
large public computer network that hosts the World Wide 
Web and related services. 

The invention architecture is best understood if a specific 
terminology is adopted, which evokes a focused instance of 
the above described commxmications problem. The specific 
units of information to be shared henceforth are referred to 
as pieces of advice (see FIG. 1). The special digital docu- 4q 
ments conveying advice are referred to as advisories. An 
advice provider 10 is an organization or individual which 
offers information in the form of advisories lla-Vld. The 
provider is represented by a server computer in a commu- 
nicating network of computers. An advice consumer 45 
14fl-14c is an organization or individual which receives 
information in the form of advisories. The consumer is* 
represented by a computer referred to as the consumer 
computer in a communicating network of computers. 

It is helpful to think in concrete terms, and to suppose that 50 
the advice provider is in fact a large organization running a 
large-scale server computer, that the advice consumer is in 
fact an individual represented by a single personal computer, 
smart TV, personal information manager, or other personal 
computational device; and to suppose that the network of 'ss 
computers may communicate according to a protocol similar 
to the TCP/IP protocol now in use by the Internet, In actual 
practice, many variations can be expected. For example, an 
advice provider may constitute an individual represented by 
a personal computer, an advice consumer may be a corpo- 60 
ration represented by a large-scale computing engine, and 
the communications process underlying the invention may 
be realized with other protocols operating over other physi- 
cal means of communication. 

Using this terminology, it is now possible to describe a 65 
key purpose of the invention. The invealion allows one to 
relay advisories from advice providers to advice consumers. 
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The communications protocol allows narrowly-focused tar- 
geting by automatically matching advisories with consumers 
for whom those advisories are relevant. 

Relevance determination (see FIG. 2) is carried out by an 
applications program, referred to as the advice reader 20 
which runs on the consumer computer and may automati- 
cally evaluate relevance based on a potentially complex 
combination of conditions, including: 

Hardware attributes. These are, for example, the type of 
computer on which the evaluation is performed, the 
type of hardware configuration 21, the capacity and 
uses of the hardware, the type of peripherals attached, 
and the attributes of peripherals. 
Configuration attributes. These are, for example, values of 
settings for variables defined in the system configura- 
tion 22, the types of software applications installed, the 
version numbers and other attributes of the software, 
and other details of the software installation 27, 
Database attributes. These are, for example, attributes of 
files 23 and databases on the computer where evalua- 
tion is performed, which may include existence, name, 
size, date of creation and modification, version, and 
contents. 

^'Envirorm^iental attributes. These are, for example, 
attributes which can be determined after querying 
attached peripherals to learn the state of the environ- 
ment in which the computer is located. Attributes may 
include results of thermal, acoustic, optical, geographic 
positioning, and other measuring devices. 

Computed attributes. These are, for example, attributes 
which can be determined after appropriate computa- 
tions based on knowledge of hardware, configuration, 
and database and environmental attributes, by applying 
specific mathematico-logical formulas, or specific 
computational algorithms. 

Remote attributes 24. These are, for example, hardware, 
configuration, database, environmental, and computed 
attributes that are available by conmiunicating with 
other computers having an afSnity for the consumer or 
his computer. 

Timeliness 25. These are, for example, attributes based on 
the current time, or a time which has elapsed since a 
key event, such as relevance evaluation or advice 
gathering. 

Personal attributes. These are, for example, attributes 
about the human user(s) of the computer which can 
either be inferred by analysis of the hardware, the 
system configuration, the database attributes, the envi- 
ronmental attributes, the remote attributes, or else can 
be obtained by soliciting the information directly from 
the user(s) or their agents. 
Randomization 26, These are, for example, attributes 
resulting from the application of random and pseudo- 
random niunber generators. 
Advice Attributes 27. These are, for example, attributes 
describing the configuration of the invention and the 
existence of certain advisories or types of advisories in 
the pool of advice. 
In this way, whatever information is actuaUy on the 
consumer computer or reachable from the consumer com- 
puter may in principle be \ised to determine relevance. The 
information accessible in this way can be quite general, 
ranging from personal data to professional work product to 
the state of specific hardware devices. As a result, an 
extremely broad range of assertions can be made the subject 
of relevance determination. 
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The advice reader 30 (see FIG, 3) may operate automati- 
cally to detemiine relevance. It may present to the consumer 
a display of relevant advisories 32 only from several advice 
sites 33fl^3c, so that the consumer is not burdened with the 
task of reading irrelevant advisories. In this way advisories $ 
may provide an automatic diagnosis 34 to any problem 
which a relevance clause may describe. 

Advisories are digital documents which may contain an 
explanatory component, describing in terms the consumer 
can easily understand the reason that the advisory is relevant 
and the purpose and effects of the action which is being 
recommended to the consumer. These digital documents 
may also contain, as another component, executable com- 
puter programs, or links to executable computer programs. 
In this way advisories may provide an automatic solution to 
any problem which the relevance message may have 
diagnosed, and which may be activated at the consumer's 
discretion. 

In short, the invention posits a situation where proactive 
advice providers identify situations of interest to consumers 
and provide advice about dealing with such situations. 20 
Computer Technical Support Application 

To make the above generalities more concrete, a particular 
application area is described where this communications 
process may be of considerable utility (see FIG. 4). 

In the technical support application, the advice provider 25 
offers a computer-related product or service, such as 
hardware, software, Internet service, or data processing 
service. The advice provider has a potentially large, poten- 
tially widely distributed customer base 40. In part from user 
input 42, the advice provider knows of problematic situa- 30 
tions 41 which may affect certain computers belonging to the 
customers. The advice provider identifies these problematic 
situations 43, which may include the use of out-of-date 
versions of software, improper system settings, conflicting 
combinations of software applications, inadequate physical 35 
resources, corrupted files, other similar phenomena. The 
advice provider may know, for each problematic situation, a 
precise combination of hardware, system configuration, 
database configuration, timeliness, and other attributes 
which may signal the situation. The advice provider may 40 
know a precise solution 44 to each problematic situation, 
which may include: 

A suggestion to the user to modify usage patterns; 

A suggestion to the user to read a document; 

A proposal to upgrade to a new software version; 

A proposal to modify system settings; 

A proposal to run a certain script to effect a solution; or 

A proposal to download and execute special applications 
to correct the situation. 50 

The advice provider authors an advisory 45, which is then 
preferably tested 46, and made available to relevant users at 
an advice site 47. In this way, the advice provider can use 
invention to reach the consumer population eflSciently. The 
provider packages the information about the specific situa- 
tion as a formal advisory concerning the situation. This 
digital document may include: 

A precise formal -language specification of conditions 
under which the situation occurs; 

Explanatory information intended for consumers who are 60 
in the given situation, describing to those consumers 
the sihiation they are in, the implications of the 
situation, and the providers proposed actions to correct 
the situation; or 

Digital content providing automatic solution or response. 65 

The advice provider publishes the advisory 40 over the 
Internet or an Intranet, through an advice server running at 
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the provider's advice site. For example (see FIG. 5), the 
advice site may comprise a directory of advice files Sla-Slb 
and inspector files S2a-S2b (discussed below). Tbese advi- 
sories may be communicated to the outside world 54 via 
such media as a directory message server 55, an HTTP 
server 56, and FTP server 57, or a file server 58. 

The advice consumer is a user of the products and services 
of the advice provider who knows of the advice provider's 
advice site and generally trusts the provider's organization 
and the advice that it authors. The advice consumer has 
available on his computer the advice reader application. The 
advice consumer instructs his advice reader to subscribe to 
the advice site offered by the advice provider. 

The advice reader 20 (see FIG. 6), at scheduled intervals 
or under user manual control via a user interface 65, gathers 
advisories to which the user subscribes. Subscription to 
advisories are entered with a subscription manager 67 based, 
at least in part, on information in various user site definition 
files 68. Advisories are gathered from the advice provider's 
advice sites 33a-33f) using a gatherer 60. The reader then 
parses the advisories using an unwrapper 61 and adds these 
advisories to any already existing body of advisories. Advi- 
sories may be provided to the reader via any of several 
sources, including alternate input streams 62. The advice 
reader determines the relevance of any of the existing or new 
advisories with a relevance evaluation module 63. This 
determination is made either continuously, at scheduled 
intervals, or under user manual control. The advice reader 
includes a user interface 65 that receives relevant advisories 
and a display and management system 66 that displays 
relevant advisories for inspection by the consumer the 
relevant advisories. In some embodiments of the invention, 
an advisory may also be subject to digital verification using 
a verification modiile 64 (discussed in greater detail below). 

A typical relevant advisory is reported to a consumer as 
follows: 

Your computer has a certain combination of hardware and 
software and settings. Computers with this combination 
have frequently been reporting a particular problem. 
Our company has a solution. It will change your 
computer settings. If you accept to use this solution, 
your problem will go away. This solution has been 
rigorously tested before release, and represents our best 
known way of dealing with this problem. 
The advice consumer reviews such relevant advisories 
100 (see FIG. 7), and acts on the advisories HO, for example 
by ignoring the advisory lU. Otherwise, the user potentially 
deliberates, which dehbcration may include informing him- 
self further about the advisory or its author 112, informing 
others of the advisory 113, or taking some other offline 
action 114 and then, depending on the outcome of the 
deliberation, he approves or denies approval. If the con- 
sumer gives approval, an automatic solution may result, 
which may involve a variety of activities, including software 
downloading 72, installation, and execution 71, an auto- 
matic electronic response 73, or the purchase or order of a 
digital object 70. 

This particular application area shows how invention can 
be used to diagnose and fix problems on a computer auto- 
matically. There are many other applications areas of the 
invention, which may involve making commercial transac- 
tions rather than fixing computer problems, or offering new 
forms of private communications. 
Responsiveness to Concerns 

The invention is fully responsive to the concerns dis- 
cussed above. 
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Provider Concerns 

Large Scale Communications. In common with other 
computer-mediated communications systems, such as the 
world-wide web, the invention is able to reach a large 
number of consumers and convey to them a large body of 
informational messages, at low cost. 

Automatic Operation. The matching of information to 
consumers is done without the need for case-by-case inter- 
vention of skilled human operatives. 

Exclusive Targeting. The invention enables information to 
flow precisely to the appropriate consumers. The provider 
can guarantee this by carefully ^ecifying the conditions 
under which a piece of advice is relevant. 

Targeting with Intimate Knowledge. Information target- 
ing in the invention is precisely focused on the attributes of 
the consumer because it has access to intimate knowledge of 
the inner details of the consumer computers state, without 
necessarily disclosing this knowledge to the provider. This 
degree of targeting is not possible under other protocols 
because other protocols require disclosure of this informa- 
tion to the provider to determine if a piece of information is 
relevant. 

Consumer Concerns 

The invention satisfies the main consumer concerns men- 
tioned earlier. 

Automatic Unattended Operation, The invention is an 
automated messaging system which operates successfully 
with infrequent consumer involvement. The advice reader 
can periodically gather new advice from advice sites that it 
subscribes to. This process may be fully automatic (manual 
intervention is also available). The databases of advice 
resident on the consumer computer may be continually 
evaluated for relevance by automated unattended operation 
of the advice reader. 

Provision of Narrowly Targeted information. In a typical 
mode of operation, the consumer only sees information 
relevant to his precise attributes, including attributes deriv- 
able from the contents of his computer, associated periph- 
erals and afl&liated computers. 

Timely Provision of information. In a typical mode of 
operation, a piece of advice may enter the consumer com- 
puter and remain resident for an extended period of time 
before becoming relevant. Information is displayed when it 
has become applicable, not before it does. 

Opportunity for Deliberation. Typically, the advice reader 
does not automatically apply a recommended solution 
operator. Rather, the advice reader gives the consumer the 
chance to study the diagnosis and recommendation, and to 
evaluate the credibiUty of the provider, before proceeding. 
There are three special aspects to the deliberation process 
available in invention: 
Disclosure of Potential Risks. By exploiting known user 
interface methods, such as HTML display with hyper- 
text links, the invention enables advice providers to 
inform consumers fully about potential risks associated 
with following a certain recommended course of 
action. 

Discovery of Consumer Complaints. Via devices to be 
discussed below (such as the Better Advice Bureau) 
consumers may use the advisory mechanism to inform 
themselves about the existence of known and foresee- 
able privacy and security risks associated with specific 
advisories and/or advice providers before accepting 
proposed solutions. 

Correction of Known Defects. The invention allows 
advice providers to retract their own faulty advice. An 
instance of this is the UrgentAdviceNet mechanism 
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(discussed below) for rapidly distributing advisories to 
the invention population. 

Automated Solution. Typically the advice provider 
authors an advisory in such a way that the advice reader 
offers it to the user to apply a recommended solution 
operator automatically after the user has given approval. 
Thus, the invention offers an automated solution to the 
user's condition under user gmdance. 

In short, the invention provides a mechanism to match 
consumers with highly specific relevant advisories effi- 
ciently in a communications structure which is responsive to 
consumer concerns. 

Security and Privacy Tcdiniquc: One-Way Membrane 

The disclosed invention offers a comprehensive process 
for computed-relevance messaging. This is a broad idea, 
with many possible applications. In certain settings, this type 
of messaging must be implemented in a fashion which pays 
special attention to security and privacy concerns, i.e. a 
one-way membrane 35 (see FIG. 3). For a concrete instance, 
consider the technical support application (discussed above), 
where: 

Communication must take place over public networks 

such as the Internet; 
The advice provider is a large business or other concern; 

and 

Advice consumers make up a widely distributed group of 
lay users. 

In this setting, consumers have special concerns about any 
process which functions as if it had intimate knowledge of 
the consumer's computer and its contents. These concerns 
are legitimate because the Internet is widely known as an 
insecure communications medium. Hence, systems which 
interact with the Internet, and which appear to function as if 
they had intimate knowledge about a user, might appear to 
enable privacy intrusions. 

The invention addresses this problem by proposing a 
method of interaction between the consumer computer and 
the Internet which protects the consumer's privacy. This 
mechanism need not be used in other settings. For example, 
in certain private computer networks, commonly referred to 
as intranets, the mvention has a variety of applications. In 
such seiimgs, security and privacy are considered guaran ^ 
t eed by physical control ot the computer and commumca^ 
tions infrastructure involved, and possibly by contracts ~ 
creating obligations on the participants in the process. 

The invention employs a special protocol for subscription 
and gathering in the security and privacy critical setting. For 
purposes of the discussion herein, this setting is referred to 
as the Anonymous Exhaustive Update Protocol (AEUP). 
The intention of this interaction protocol is to create a 
one-way membrane, where information can enter the con- 
sumer computer in the form of advisories, but information 
about the consumer does not leave the consumer computer 
unless it is the consumer who initiates the transfer. 

The AEUP protocol is described as the default protocol of 
the invention. The reasons that this protocol offers consum- 
ers privacy is discussed below. This document also describes 
many applications where security and privacy arc not critical 
to acceptance by the consumer. Thus, it is possible to 
provide a certain degree of security and privacy protection 
without using this protocol. See below for a discussion of 
alternative protocols, such as the Anonymous Selective 
Update Protocol (ASUP). 

A comprehensive discussion of privacy and security con- 
cerns is given below. The invention addresses: 
Consumer Privacy Concerns. The invention fully respects 

consumer privacy concerns. In an implementation offer- 
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ing AEUP, consumers may benefit from narrowly-targeted 
advice without ever needing to reveal their identity, nor 
any of the attributes that were checked in determining 
relevance, nor the fact of relevance itself. 
Consumer Initiative. In a typical mode of operation, no 
advice is received by the advice reader unless the 
consumer initiated the subscription. This protects the 
consumer from unwanted commimications. 
Privacy of Automatic Operations, Under AEUP, the 
operation of gathering advice from sites, the operation 
of evaluating relevance, and the operation of displaying 
relevant advice to the consumer need not result in the 
disclosure of consumer data to the advice provider. 
Frustration of Intrusions. Certain embodiments of the 
invention contain mechanisms, described below, to 
prevent compromises of privacy even in case of certain 
illegal eavesdropping activities 
Consumer Security Concerns. The invention fully respects 
consumer security concerns. In an implementation offer- 
ing AEUP, consumers may benefit from narrowly-targeted 
advice without exposing themselves to security threats 
from malicious sources. 

Consumer Initiates Subscriptions. In a typical mode of 
operation, no advice is received by the advice reader 
unless the consumer initiated the subscription. The 
process of subscription to an advice site connotes 
limited trust by the consumer for the provider. Hence, 
in typical operation, advice is only received from 
trusted sites. 

Harmlessness of Automatic Operations. Typically, the 
process of gathering and evaluating advisories has no 
noticeable effects on the computer system. Any recom- 
mended solution is applied only upon prior notification 
of the user and subsequent approval. Consumers who 
use invention to merely peruse relevant messages, but 
do not follow the recommended actions, face no sig- 
nificant risk. 

Disclosure of Potential Risks. By exploiting knowTi user 
interface methods, such as HTML display with hyper- 
text Unks, the invention enable advice providers to 
inform consumers fully about potential risks associated 
with following a certain recommended course of 
action. 

Discovery of Consumer Complaints. Via devices that are 
discussed below (such as the Better Advice Bureau), 
consumers may use the advisory mechanism disclosed 
herein to infonn themselves about the existence of 
known and foreseeable privacy and security risks asso- 
ciated with specific advisories and/or advice providers 
before accepting proposed solutions. 

Correction of Known Defects. The invention allows 
advice providers to retract their own faulty advice. It 
allows other people to criticize an advice providers 
faulty advice. 

Automated Solution. The advice provides typically authors 
an advisory in such a way that the advice reader offers to 
apply a recommended solution operator automatically to 
the user system after the user has given approval. 
Thus, the invention provides a mechanism for efl&ciendy 
matching consumer with highly specific relevant advisories 
in a communications structure which is responsive to con- 
sumer concerns. 
Layers of Invention 

The present document describes computed relevance 
messaging from many viewpoints, i.e. from one extreme of 
a general communicadons process to the other extreme of a 
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set of specific protocols that have been implemented by 
Universe Communications, Inc. of Berkeley, Calif. It is 
worthwhile to classify the several layers of the invention as 
described herein: 

Relevance Guided Messaging. The general communica- 
tions process used by the invention has five elements (see 
FIG. 8): 

A Relevance Clause 80. An assertion about the state of a 
consumer computer, its contents, or environment which 
can be automatically evaluated by comparing the asser- 
tion with the consumer computer's actual state. 
Typically, the relevance clause is preceded by a subject 
Une 82 which gives a general description of the advi- 
sory's subject matter. 

An Associated message 81. A message or messages asso- 
ciated with the clause whose suitability for the con- 
sumer is determined at least partially by the evaluation 
of the clause. 

A Gatherer 60 (see FIG. 6). An application that sees to it 
that relevance clauses flow into the consumer computer 
from various locations, perhaps by regular synchroni- 
zation. 

A Watcher 63 (see FIG. 6). An application that has the 
ability to evaluate relevance clauses, i.e. assertions 
about consumer computer's own environment, by com- 
paring them with the actual state of the environment, 
and by inspecting properties of the consumer computer 
and its environment and checking if these point towards 
or away from relevance. 
A Notifier 65, 66 (see FIG. 6). An appHcation that has the 
ability to display messages to a user under at least 
partial guidance of an evaluated relevance clause. 
A key difference of the invention from other targeted 
information providers is that the invention provides a 
detailed tool for tapping into very highly defined targets, 
which other protocols for targeting information cannot 
match because they do not routinely have access to the state 
of the consumer's envirotunent. 

The details of relevance guarded messaging are less 
important than this five-part model. For example, in one 
implementation, the five-part model is run on a computer 
network in a secure network such as a corporate intranet. In 
another implementation, the five-part model is run on a 
public computer network such as the Internet. Certain con- 
cerns that affect the public setting (e.g. security and privacy) 
might be completely irrelevant in the private setting, where 
those concerns are addressed by the physical control of the 
network. In either setting, the basic five-part model of 
relevance guarded messaging makes a valuable contribution 
to connecting providers with consumers. 

It is important to note that this five-part model may have 
embodiments in which these five parts are not immediately 
evident. Potential implementations which make it clear that 
there can be many superficially different ways of achieving 
this basic structure are described below. For example, the 
relevance clause and the associated message may be pack- 
aged together in the same file and communicated simulta- 
neously. In a different embodiment, the relevance guarded 
message can be communicated in two stages, where the first 
stage sends a relevance clause, and the second part is sent 
only if the first part leads to a relevant result and if the 
consumer computer asks the provider for the second part. 
Conceptually, the same useful effect can be obtained using 
either of these two messaging protocols. Both methods are 
embodiments of the same invention. 

Relevance Guarding with Security and Privacy. Owing to 
the tremendous importance of public netwoiks, such as the 
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Internet, an implementation of the five-part model which 
also addresses fundamental privacy and security concerns is 
of great significance. The mechanism by which the basic 
five-part model is extended (e.g. through AEUP, ASUP, or 
substantially equivalent protocols) to become a secure and 5 
private system over public networks is an important embodi- 
ment of the disclosed invention. It is potentially helpful for 
the broad consumer acceptance of computed relevance mes- 
saging. 

Preferred Embodiment of the Invention. The presently 
preferred embodiment of the invention consists of a large 
collection of different interacting components, carefully 
designed to meet the goals underlying this system. The many 
subsystems illustrate the potential of the invention in the 
technical support application. Those skilled in the art will 
appreciate that there are many other applications to which 
the invention may be put. 

Variant Implementations, The specific implementation 
was arrived at after a long series of different application 
areas were examined and carefully studied. This document 
describes in considerable detail a large number of variant 
implementations modify the basic operation of the central 
implementation for other market areas or other demands. 
For example, in certain settings, the use of low communi- 
cations bandwidth is important and privacy is unimportant. 
A variation for that setting is discussed below. ^ 
Invention Components 

The following discussion describes the key components in 
what is currently regarded as the best mode of implementing 
the disclosed invention. In this implementation it is assumed 
that communications are via standard Internet techniques, 
and that the advice provider and advice consumer are both 
relying upon standard network connected computers. 
Advice Provider Components 

The following is a listing of component names, followed 
in various subsections by a brief discussion of each com- 
ponent: 

advice site 

advisories 

site signature 

site description file 

inspector library files 

supplementary files 

While these general components may be implemented in 
many ways, it easiest to describe their form and function in 45 
the currently understood best mode, based on the use of 
Internet communications protocols. Those skilled in the art 
will appreciate that this is not the only possible implemen- 
tation. 

Advice Site 50 

This is a standard place on the Internet (see FIG. 5), e.g. 
a URL-addressable directory on a server computer, com- 
bined with server software that responds to certain TCP/IP 
requests for information. 

The site directory may contain a plurality of files, includ- ss 
ing advisories, digests of advisories, and inspector libraries. 

The software associated with the server may perform the 
functions of an HTTP server, an FTP server, or a file server, 
thereby providing access to the files stored in the directory 
using well-known communications protocols. The software eo 
associated with the server may also perform the functions of 
a specialized server, implementing invention-specific com- 
munications protocols. 

These protocols may include: 

The ability to serve a directory message describing the 65 
contents of the site directory, including filenames, 
sizes, and dates; 



The ability to serve an abstract message which describes 
in abbreviated form the contents of the files in the 
directory; 

The ability to engage in security handshaking; 

The ability to perform challenges to advice readers to 
validate their authenticity; and 

The ability to meter traffic through the site, and compute 
summaries of irafiBc levels. 

The function of advice site server software is to process 
certain requests made by an advice reader running on a 
consumer computer. The advice reader may request infor- 
mation about the directory of the site, may ask for abstracts 
of advisories, and may ask for contents of individual advi- 
sories. The transaction between advice server and advice 
reader is described further below. 
Advisories 

The advisories in an advice site are digital files. Adviso- 
ries typically have some of the following components: 
A relevance precondition written in a formal relevance 

language, which is used to describe attributes of a 

computer and/or its contents and/or its environment. 

For more information on the relevance language, see 

below. 

A humanly-intelUgible component which may summarize 
the purpose of the message, may describe the author, 
may explain the precondition in human language, and 
may explain the solution in human language. 
A computer-inteUigible component which potentially 
offers either software tools to solve the problem or 
Internet access to software tools solving the problem. 
In the currently understood best method for this 
implementation, an advisory is a specially formatted 
ASCII file built using the MIME Internet standards 
track specification dociunented in RFC 1521 et seq. 
(see N. Borenstein, N. Freed, MIME (Multipurpose 
Internet Mail Extensions) Part One: Mechanisms for 
Specifying and Describing the Format of Internet Mes- 
sage Bodies, Internet Standards Track RFC 1521 
(1993)), This format is currently used for transport of 
Internet mail; it contains headers documenting the 
sender of the message and its subject, and mechanisms 
for including digital signatures. A MIME file is easily 
transported over the Internet and is easily broken into 
its constituent components using parsing algorithms 
well-known in the Internet community. The advisory 
file format is described further below (see, also A Guide 
to Writing Advisories for Advice Net, Universe 
Communications, Inc., Berkeley, Calif. (1998)). 

Authoring Advisories 

Site Signature 

Associated with an advice site may be a certain digital 
signature mechanism, for example one of the standard 
signature mechanisms using public-key/private-key pairs. 
The signature mechanism may be used to sign advisories in 
a fashion that allows advice readers to verify that the 
advisory was in fact authored by the advice provider. 
Site Description Files 

The site description file (SDF) is a specially structured 
ASCII text file authored by the advice provider. It describes 
the provider's advice site and serves as the basis for a 
consumer to initiate a subscription. This file specifies the site 
location (URL), the site name, and site security 
characteristics, sudi as whether the site avows only advice 
which has been digitally signed. It also provides various 
parameters of the subscription process intended for use by 
the advice reader (for example, the recommended firequency 
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of synchronization, and the type of subscription relationship 
(free/fee)). It may contain humanly interp rotable text indi- 
cating the purpose of the site. 

The SDF may abo contain the public key associated with 
advice authored by the site. This public key is needed to 
verify signatures on advice authored by the site. 

The SDF may also be signed by a trusted authority, to 
establish the authenticity of this site description file. For 
example, it may be signed by advisories.com or the Better 
Advice Bureau: see below. 

The SDF may also contain a ratings block, provided by a 
trusted ratings service, to establish trust in the respect for 
privacy and security and the usefulness of advice at this site. 
See, for example, below. 
Inspector Libraries 

Inspector libraries are libraries of special purpose execut- 
able code, which may be accessed by advice readers for the 
purpose of extending the capabililies of the relevance lan- 
guage. In effect, inspector libraries provide a mechanism for 
advice site specific extensions to the relevance language. 
Supplementary Files 

The contents of the advice site discussed so far play 
important roles in the ordinary conduct of the invention. In 
one typical implementation, additional files may be present 
in the advice site directory. In such an implementation, data 
and applications files which do not play a role in the conduct 
of the invention per se may be included in the advice site 
directory. These files are distributed as are other files at the 
advice site. This implementation allows the distribution of 
installers, uninstallers, shell scripts, JAVA, and Visual Basic 
programs, i.e. in general, packages of data, applications, and 
other resources, that may play a supporting role in evaluat- 
ing and following advice issued at the site. For example, 
such additional files may play a role as databases searched 
by the advice provider's own inspector libraries or as 
applications used in implementing the advice providers 
recommended solutions. 
Advice Consumer Components 

The following is a listing of component names from the 
advice consumer perspective, followed in various subsec- 
tions by a brief discussion of each component: 

advice reader 

subscription database 

advice database 

user profile 

inspectors 

solution wizards 

advice reader 

Tbe advice reader is an application running on the con- 
sumer computer. It is responsible for liaison with the advice 
site and for managing interactions with the \iser. Hie advice 
reader maintains a directory of files on the consumer com- 
puter. Inside that directory are contained varioxis files 
described below which are used/managed in the course of 
advice reader operation. 

The advice reader has a number of jobs, which are listed 
below without elaboration: 

Manage subscriptions 

Synchronize with advice site 

Gather advisory files 

Unwrap advisory messages 

Manage advice Database 

Manage relevance Evaluation 

Evaluate relevance of Individual advisories 

Invoke inspectors 
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Display relevant advisories to User 
The process is described in detail below. 
Subscription Database 

The advice reader maintains a database of subscription 

5 information which allows for the scheduling and conduct of 
site synchronization by the gatherer component. The sub- 
scription database contains information about the address of 
the advice site; information and recommendations provided 
by the advice sites site description file, such as recom- 

10 mended frequency of synchronization; information needed 
to verify digital signatures associated with the advice site; 
and information associated with the users experience with 
the advice site. 
Advice Database 

15 The advice reader maintains a database of advice that has 
been received from various advice sites. These may be 
indexed according to the site from which they were received 
according to the systems that the advice concems, or accord- 
ing to other principles which would be helpful to the 

20 consiimer or to the author. 

The advice reader may organize advice into pools of 
advice which share a common basis for treatment. Examples 
of this principle include a pool of advice specially targeted 
to the concems of one user of a multi-user consumer 

25 computer, a pool of advice scheduled for manual relevance 
evaluation only, and a pool of advice scheduled for nightly 
evaluation at a certain time. 
User Profile 

The advice reader maintains a special file or files con- 
30 taining data which have been obtained from interviews with 
the user, deduced from his actions, or deduced from the 
properties of the computer or its environment. Such data 
may describe the computer or its environment, and may also 
describe preferences, interests, requirements, capabilities, 
35 and possessions and plans of the user, including things 
unrelated to computer operations. 

The file or files may be encrypted. The file or files may be 
organized by advice site so that they describe interests, 
preferences, and so forth to be accessed by relevance queries 
40 associated with a specific site only. 
Inspectors 

Inspector libraries contain executable code which may be 
invoked by the advice reader as part of the relevance 
evaluation process. Inspectors can examine properties of the 

45 consumer computer, storage devices, peripherals, 
environment, or remote affiliated computers. These are fur- 
ther described below. 
Solution Wizards 

Solution wizards support the process of automated solu- 

50 tion. They are applications which can perform stereotyped 
functions that are frequently of use for solving problems on 
computers. These are described further below. 
Transaction Overview 

The following discussion describes the basic model for an 

55 Internet-based transaction using the invention. 
Subscription Model 

In the invention, the initiative to begin an interaction 
typically comes from the consumer. The consumer becomes 
aware of the existence of an advice provider and associated 

60 advice site(s), for example, as part of installing a new 
hardware or software product on his computer, or as a result 
of advertising, or sharing experiences with other consumers. 
The consumer, after potentially informing himself about the 
kind of advice being offered at that site and its reliability, 

65 makes a decision to subscribe. The consumer, interacting 
with a piece of the advice reader called the subscription 
manager 67 (see FIG. 6), configures the advice reader to 
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subscribe to (he given advice site, by supplying it with either 
the corresponding site description file 68, or with a pointer 
to such a file, or with a pointer to the site itself which 
contains an instance of such a file. The consumer, after 
studying the terms of interaction recommended in the SDF, 5 
configures the parameters associated with the subscription, 
which control how frequently advice from the site is gath- 
ered. 

Advice Gathering Using AEUP 

Periodically, under the terms of the subscription, or manu- 10 
ally under user control, the advice reader initiates a site 
synchronization. A component of the advice reader, referred 
to as the gatherer, has the duty to synchronize the consumer 
site image with the current image of the advice site. These 
states can be different if the advice site has retracted advice is 
or authored new advice since the most recent synchroniza- 
tion. The gatherer makes sure that there is a one-to-one 
correspondence between advisories at the advice site and 
advisories in the consiimer machine. The gatherer opens a 
connection to the directory message server at the advice site. 20 
After an optional security handshake to verify the authen- 
ticity of the advice reader and server, the gatherer queries the 
server for a directory message. The gatherer inspects the 
response and checks whether the site directory has changed 
since the previous synchronization. If not, there is no need 25 
to obtain any files from the advice site, and the session may 
end. If the directory has changed, or if this is the first 
synchronization ever, the gatherer initiates FTP and/or 
HTTP and/or file server access to the new files. The gatherer 
also deletes any advisories on the consumer computer which 30 
no longer correspond to advisories on the server, and this 
terminates the synchronization of the consumer site image 
with the true site image. 

The protocol just described is the AEUP protocol that is 
described above. The gatherer is allowed, by the advice 35 
server, to gather all the files at the advice site anonymously 
or, at any rate, all files which have not previously been 
gathered. The intention is that the advice stored on the 
consumer machine consists at any given moment of all the 
advisories offered at the advice site at the time of the last 40 
synchronization, other than those that the user has specifi- 
cally deleted. Hence, there is no selective gathering- Rather, 
gathering is exhaustive, i.e. every piece of advice is gath- 
ered. The implications of this protocol and alternative pro- 
tocols are discussed below. 45 
Unpacking Advisories 

As described below, an advisory file is a potentially 
complex hierarchical structure, which may contain one or 
more than one message. The advice reader unpacks all the 
components of this structure. Components of the structure 50 
may be signed using a digital signature method, i.e. at 
unpacking time those signatures are verified. After 
unpacking, the advisories are entered in a pool of all advice, 
old and new, to be evaluated. In one typical implementation, 
the invention may suppress entry into the system of 55 
unsigned advisories or of advisories whose signatures can- 
not be verified. 
Relevance Evaluation 

As a matter separate from gathering, the pool of all advice 
to be evaluated may be processed, either continuously, or 60 
according to a consumer-defined schedule, or an immediate 
user request, or some specified trigger event (see FIG. 9). 
The advice reader parses the individual message and iden- 
tifies the clauses determining relevance. These clauses are 
expressions in the formal relevance language which is 65 
described below. The advice reader parses the clauses iising 
an expression tree generator 91 into a tree of elementary 
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subexpressions (see FIG. 10) and then evaluates each sub- 
expression of the tree using an expression tree evaluator. If 
evaluation proceeds successfully and results in a value of 
True, the message is deemed relevant 93. A dispatch method 
94 is then used to consume the advisory which may include 
a file system injector that identifies appropriate directory 
and file name references 96 in various user volumes 97, 98; 
a registry inspector 99 that inspects an operating system 
registry 120; an operating system inspector 121 that inspects 
various system elements 122; or a hardware device inspector 
123 that inspects various system devices 124. 
Inspectors 

Evaluation of subexpressions is performed by methods 
called inspectors (see FIG. 11) which may perform 
mathematico-logical calculations, execute computational 
algorithms, return the results of system calls, access the 
contents of storage devices, and query devices or remote 
computers. These methods are called inspectors because a 
frequent purpose is to inspect the properties of the consumer 
computer, its configuration, or contents of its storage 
devices. Inspectors may come built in to the reader, and may 
also be plugged in via DLL or similar mechanisms. Thus, an 
object 130, property name 131, and/or string selector 132 is 
dispatched to a reader using a method dispatch module 134 
in accordance with dispatch information contained within a 
method dispatch table 133. Various inspectors 135, 136 arc 
provided at a user location, each of which includes an 
inspector library 137, 139 and associated methods 138, 140. 
Inspectors are described in greater detail below. 
User Interface 

After relevance has been decided for an item in the advice 
pool, a relevant item may be entered into a list of items to 
be displayed. This list may be displayed to the consumer 
according to typical user-interface models. The user- 
interface may inform the user about the author of the 
advisory, about the date the advisory was acquired, about the 
date the advisory became relevant, about the subject of the 
advisory, and about other attributes of the advisory message. 
The user interface may offer the user to display the explana- 
tory content of individual advisories. Depending on the 
advisory, the explanatory content may contain simple text 
explanations, or may contain more elaborate mxiltimedia 
explanations. Depending on the advisory, the explanation 
may identify the situation which caused the advisory to be 
relevant, the implications of relevance, the recommended 
action or actions to take at this point, the anticipated effects 
of taking those actions or of not taking them, or the 
experiences of other users or other organizations with the 
proposed actions. The user studies this explanatory content, 
perhaps performing additional research (for example study- 
ing the trustworthiness of the provider, or the opinions of 
other users). 

Recommended Response 

As part of the display of a relevant advisory, the user is 
typically offered the possibility of an action in response to 
the situation. Possible outcomes include: 

consumer ignores information/proposal. The consumer 
reviews the advisory, decides he does not wish to 
pursue it, ignores the content, aod deletes the advisory. 

consumer is notified. The consumer reviews the advisory, 
or some other document it refers to, and learns some- 
thing important or interesting. 

consumer is entertained. The consumer reviews the 
advisory, or some other document it refers to, or some 
multimedia content it contains, or some multimedia 
content it refers to, and is exposed to a stimulating 
presentation. 
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consumer forwards information to another. This may 
inchide friends, family, colleagues, or associates. For- 
warding may involve off line transport or electronic 
transport, such as e-mail. 

consumer initiates correspondence with provider or other. 
This may include contact by mail, phone, fax, or 
e-mail. This may also include participation in an infor- 
mation exchange, including for technical support, 
training, or market survey purposes, as weU as partici- 
pation in a sale or other commercial interaction. 

consumer initiates on-line participation in a timely event. 

consumer purchases object by e-commerce. This may 
include a purchase entered by clicking on a button in 
the advice reader window which entry to e-commerce 
mode. 

consumer fills out a form. This may include a form 
rendered by a Web browser, or a text file form intended 
to be returned by e-mail, or a form intended to be filled 
out and faxed or mailed back, 
consumer initiates off line action in real world. This may 
include any off line action ranging from actions asso- 
ciated with the computer modifying the state of hard- 
ware devices, gathering information in the environment 
surrounding the computer, or reading some instructions 
in a manual before begiiming an online process. This 
action may also include purely personal items, 
consumer modifies system setting or data field on com- 
puter. This may involve the consumer executing a 
series of manual operations on the computer to change 
settings of some system component or software appli- 
cation or to modify an entry in a database, 
consumer initiates an Install/Uninstall/Execute solution. 
This may involve the consumer cKcking on a button in 
the advice reader, followed by automatic execution of 
a sequence of download/install/uninstall/execute steps, 
or it may require the consumer to access physical media 
such as floppy disk or CD-ROM to perform an install 
under direct supervision. It may involve automatic 
execution, or execution under user control, following 
instructions indicated for the user by the advisory, 
consumer invokes Script file for solution. The advisory 
may offer a series of instructions in a high-level system- 
affecting language, such as AppleScript, DOS Shell, 
UNIX Shell, Visual Basic, which the consumer is 
e;q)ected to store as a file and then pass to a standard 
interpreter (e.g. AppleScript Editor, DOS Command 
Line Interpreter, UNIX Shell Command Line 
Interpreter, or Visual basic Interpreter). This action may 
altematively involve the consumer executing a series of 50 
manual operations on the computer that involve typing 
in commands one by one in a certain window of a 
certain application. 
Many concrete outcomes can be grouped among the 
outcomes in this list. 55 
Advisory File Format 

The advisory file format provides a mechanism to encode 
one single advisory or several advisories for transport across 
computer networks and other digital transport media, and to 
offer one or several variants of same basic explanatory 
material. The following discussion describes the compo- 
nents of an advisory in general terms and describes the 
currently understood best method for implementing adviso- 
ries using MIME. 
Components of a Basic Advisory 

The most elementary advisory may have these logical 
components (see FIG. 8): 
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Wrapper. Components designed to package the informa- 
tion for transport and subsequent decoding. 
• From Line. Component identifying the advice author. 
Subject Line. Component identifying briefly the concern 

of the advisory. 
Relevance Clause. Component in the formal relevance 
language precisely specifying the conditions under 
which the advisory could be relevant. 
Message Body. Component providing explanatory mate- 
rial potentially explaining to the user what condition 
has been found relevant, why the user is concerned, and 
what action is recommended. 
Action Button. Component providing the user the ability 
to invoke an automatic execution of the recommended 
action. 
Clause Variations 
Elaboration on the basic scheme may also be valuable: 
The advisory may contain an expires- when clause. This is 
an expression in the formal relevance language which 
causes the message to expire if it evaluates to True. 
The advisory may contain an evaluate-when clause. This 
is an expression in the formal relevance language 
which causes the message to be evaluated for relevance 
if it evaluates to True. 
The advisory may contain an requires-inspector-library 
clause. This may give the name of an inspector library 
and a URL where it can be found. This indicates that a 
certain inspector library must be installed for relevance 
to be evaluated conectly. 
The advisory may contain a refers-to clause, giving key- 
word labeling of systems referenced by the condition 
associated with the advisory. 
The advisory may contain a solution-affects clause, giving 
keyword labeling of possible effects of the recom- 
mended response. 
Other variations may be recognized as useful in the future. 
Such variations are not excluded from the scope of the 
invention. 
Display Variations 
The message body may occur in at least three forms: 
Text. The explanatory material may be an unconstrained 
ASCII text document. This has no embedded variations in 
presentation style (e.g. no changes in font and/or no hyper- 
text references to outside documents). 

HTML. The explanatory material making up the message 
body may be an IfTML document. This is familiar from Web 
browsers. HTML documents may contain variations in the 
presentation of text, may contain tables and visual format- 
ting features, may contain references to external documents, 
and may contain references to external graphics files. 

Text/HTML. The explanatory material making up the 
message body may be given in both text and HTML forms. 
The advice reader has the option of using whichever form is 
more appropriate to the user. 

Further variations in message content, including audio 
and video content, are not excluded firom the scope of the 
invention. 

Digital Integrity and Authenticity 

The message body may have digital authentication fea- 
tures appended to the message to insure its integrity and 
authenticity. 

A digital digest may be appended to the message to ensure 
message integrity. At the time that the message is compiled 
by the author, a specialized functional of the message body 
may be computed and appended to the message. The recipi- 
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ent of the message can verify the integrity of the message by MIME 

computing the same functional and verifying that it produces In the currently understood best method for structuring 
the same result as that appended to the message. Known advice for Internet transport, an advisory document is pack- 
examples of digital digests include CRC, MD5, and SHA. aged as a single ASCII text file which is a valid instance of 
Digital digests arc famOiar in the computer programming 5 MIME file (see N. Borenslein, N. Freed, MIME 
community under the name hashing- The idea is that certain (Multipurpose Internet Mail Extensions) Part One: Mccha- 
mathematical operations based on modular anthmetic are nisms for Specifying and Describing the Format of Internet 
applied to a numerical representation of a body of text, ^^^-^^^ ^^^^^^^^ Standards Track RFC 1521 
producmg a numencal output rangmg m magnitude from a (^993)) ^^^^^ ^ ^^^^^^ ^ 

small number to a number requiring some dozens of digits 1 /- j o • 1 ; • ^ xAnAn jj j * 

. , J . -1 J- * L 10 lormat is used. Special extensions to MIME arc added to 

to represent, depending upon the details of the digest mecha- j ^ • 

nism. Tliese arithmetic operations typically produce an ^"^.^^^^^^^^^ invenUon 

output which depends on the original body of text in a , MIME is an Internet standards Uack format extending the 

discontinuous way which is not easily invertible. That is, classical e-mail Internet standard commonly referred to as 

sHghtly different messages tend to have very different ^^^^ ^o^mat is widely used for Internet 

digests. Also, it may be dif&cult to find any two messages 15 transport of electronic mail. It has four features of particular 

with the same digest, and if one of the two messages is usefulness in connection with advisories: 

previously specified, it is particularly difBcult to find another Header Lines. MIME specifies that a message body may 

message which happens to have the same digest. be preceded by an extensive message header consisting of a 

The practical implication is that a transmission or record- variety of header lines, where individual Unes begin with a 

ing error which causes the advisory document to be modified 20 well known phrase and contain addressing, dating, and 

in some way from the authors original intent does not related commentary. Some of these lines can be easily 

typically resuU in a modified document that generates the adapted to serve the purposes of the invention. For example, 

appropriate digital digest. In this way, modified documents the From Line and Subject Line components of an advisory 

can be identified and suppressed from consideration. can be implemented by the From: and Subject: header lines 

A digital signature may be appended to the message to 25 that are already part of the MIME standard, 

ensure message authenticity (see C. Pfleeger, Security in Extensibility. MIME provides a method for creating new 

Compufirtg, Second Edition, Prentice-Hall (1996); and PGP message lines in messages. This includes a method for 

4.0 Users Manual^ PGP Pretty Good Privacy, Inc. (1997)). embedding the new message Unes in messages and a method 

ThLs is a refinement of the digital digest idea, rendering the for registering the new line with the MIME authorities. Key 

digest secure against malicious tampering. 30 invention constructs relevant-when and expires-when may 

Digital signatures generally work as follows: At the time therefore easUy be added to the MIME language in that 

that the message is compiled by the author, a digital digest fashion. 

of the message is calculated. The digest is then encrypted Alternation. MIME provides a method, i.e. Multipart- 
using an encryption scheme that is well known and widely Alternate, for offering two different versions of the same 
associated with the advice site. The encrypted digest is 35 message, with the destination picking the appropriate dis- 
considered the advice site's signature on the message, and is play method. Therefore, the invention construct of transmit- 
appended to the message itself, labeled as a signature. ting one or more ways to display the same information may 
The advice reader, in seeking to verify the signature of the easily be implemented using the MIME standard and its 
site, attempts to decrypt the signature using the well-known Multipart- Alternate feature. 

decryption algorithm associated with the advice site. A 40 Digesting Mechanism. MIME provides a well-understood 

successful decryption produces a digital digest which agrees mechanism, i.e. Multipart/mixed, for packing several com- 

with the value that the advice reader calculates directly from plete MIME messages into a single file for Internet transport, 

the message. An unsuccessful decryption produces a result MIME posits a recursive digest structure, in which a mes- 

thal does not agree with the digital digest of the received sage can have several related components, and each com- 

message. 45 ponent can itself be a MIME file inserted verbatim. Using 

It is commonly accepted (see C Pfleeger, Security in this feature, a MIME file can be used to digest many 

Computing, Second Edition, ftentice-Hall (1996); and PGP component advisories, organized in a tree structure reminis- 

4.0 Users Manual, PGP Pretty Good Privacy, Inc. (1997)) cent of the branching structure of a modern personal com- 

that this approach, when used in conjunction with certain puter file system. 

well -know encryption systems, produces a secure digital 50 Thus, MIME becomes a tool, not for packaging e-mail, 

document. That is, it is accepted that a malicious agent but instead for packaging a new kind of document, i.e. the 

cannot easily modify a given vahd advisory to produce an advisory. To avoid confusion, it should be appreciated that 

impostor advisory which produce a successful decryption. an advisory is unlike e-mail because an advisory does not 

Indeed, to deceive this system successfully, it is necessary have an intended recipient or list of recipients. Rather, it is 

for the impostor to generate the digital digest of the modified 55 a broadcast message. An advisory typically has relevance 

document correctly and then apply the encryption algorithm and related clauses, and an advisory typically has active 

associated with the advice site. While the impostor may be content. E-mail does not have relevance and related clauses, 

assumed to have learned the workings of the digital digest and does not typically have active content. The advisory is 

meciiaiiism, it is assumed that he is not able to encrypt part of a new form of communications which can be 

documents as if he were the advice site. 60 implemented within the MIME standard. The advisory 

The fundamental assumption of modem cryptography appfication of MIME addresses a different problem than 

systems as applied to public communication is that certain e-mail by omitting certain MIME clauses which were used 

encryption/decryption algorithms can have widely known for e-mail, and by adding new specialized clauses which are 

decryption algorithms and keep the encryption algorithms used in the relevance determination and advice management 

secret. Until this fundamental assumption is disproved, the 65 process. In a certain sense, the relationship of advisories to 

digital signature mechanism is widely considered an effec- e-mail is comparable to the relationship between USENET 

tive authentication mechanism. and e-mail. Both advisories and USENET news systems use 
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MIME as a packaging mechanism. However, both ofifer In the currently understood best method for implementing 

means of communications which are distinct from e-mail. the invention, the language itself, Le. in the allowable 

Although MIME is a convenient method of realizing the phrases of the language and the underlying semantics of the 

form of an advisory, there is no necessary connection of the phrases, provides an intellectual model of the components of 

invention to MIME. There.are many_pther common formats 5 Ihe coasumer computer, its peripherals, storage devices, 

in the Intcmet world, such as XML. which may be used for ^^^s, and related concepts. This is distinct from the usual 

representing advisories. In this disclosure, only the currendy ^^^^^ computer languages, in which the language itself 

understood best method for implementing the advice file is P™/^^*^ ^ "^^^^^^ P^^^^ °f ^he problem it is used to 

discussed address. 

In common with traditional languages, the relevance 

EXAMPLE language contains a few elementary data types, such as 

Boolean, integer, and string. Also in common with tradi- 

The following is an example of an advisory file: tional languages, it is permissible to write arithmetico- 

Date: Sat Mar. 21, 1998 17:06:12 +0800 logical expressions such as: 

From: Jeremiah Adviser <jeremiah@advisories.com> (2346+(-i234)/(i+2))>0 

MIME- Version 1.0 The meaning of a typical subexpression, e.g. 1+2, is apply 

Organization: Universe Communications, Inc. method+to the pair of objects resulting from evaluating the 

Subject: A better version of the advice reader is now two subexpressions 1 and 2. The pair of objects in question 

available objects of type Integer having values of 1 and 2, 

\x/k^„. «f 20 respectively. In the currently understood best method, the 

relevant- When: version of application , / , on r ... . 

„ J . „ ((CO" relevance language has a full range of anthmetic, stnng, and 

"advic6.exe <v6rs2on "5.0 i • i • -i i-i u- u j u -u • 

„ ^ ^ . , logical operations available, which are expressed as built m 

Content-Type: text/html; charset-us-ascu ^^^^^^ ^ ^^^^ ^^^^ ^^^^^^ ^^^^ ^ 

<HTML><BODY> (see HG. 12). 

A better version of the advice reader is available. 25 Unlike traditional languages, the relevance language con- 

aiclc to <A HREF="http:/Avww.advisories.comAvin98/ tains an abstract data type, World, which may be thought of 

advice50.ex6"> as the overall environment of the personal computer on 

Download </A> the latest version of advice reader. which the relevance clause is evaluated. This object has 

</BODY></HTML> properties. These properties yield objects of various types, 

Here the reader can see the various components of an 30 and these objects may have farther properties (see FIG. 13). 

advisory embodied as MIME components: . World is a data type that, depending on the specific 

^<^««T^ TT • J ^ . . L J 1- implementation and on the specific system configuration, 

Wrapper. MIME- Version and Content-Type header Imes. , ^ a » 

may have many properties. 

From Line. From: Jeremiah Adviser ... j^e technical support appUcation discussed above, 

Subject Line. Subject: A better version of , . . 35 these properties may include the system folder property, the 

Message Body. An HTML fragment, beginning <HTML> CPU property, and the monitor property. Properties of an 

and ending -<yHTML>. object are obtained by applying assessor methods to the 

Action Button. Not present in this advisory. The active object. The assessor method for the system folder of data 

component of the message (downloading) is handled by type World returns an object of type system folder. The 

the HTML HREF link. The user sees the word Down- 40 assessor method for the CPU property of data type World 

load and typically understands that a mouse click on returns an object of type CPU. These derived objects, in turn, 

that word causes the indicated action. have properties of their own. For example, an object of type 

Ratings Blocks CPU may have a collection of properties such as speed, 

In an additional variation, it is possible for an advisory to manufacturer, model, MMX, and cache. A method corre- 

contain ratings blocks containing information rating the 45 sponds to each of these properties which, when apphed to 

advisory according to criteria such as privacy, security, and the object of type CPU, returns a result. For sake of 

usefulness. There exist standard formats for such ratings discussion, it can be assumed that speed results in an integer, 

blocks (see Khare, Rohit, Digital Signature Label manufacturer results in a string naming the manufacturer. 

Architecture, The World Wide Web Journal, Vol. 2, Number model results also in a string, naming the model type, and 

3, pp. 49-64 Oreilly (Summer 1997), http://www.w3.org/ 50 MMX and cache return the more specialized object types 

DSIG) and these are easily appended to messages with MMX, and cache. 

MIME structure. See also below. The relevance language implicitly posmlates that the set 

Relevance Language of inspectablc properties of the consumer computer is iden- 

Advisories have a format resembling the format of e-mail tical to the set of properties of data type World and the set 

messages, with many of the same components in the 55 of properties derivable from World by repeated applications 

message/digest headers. One key extension offered by advi- of asking for properties of an object derived from World (see 

series is the institution of a new clause in the message, Le. FIG. 14). ObjectWorld gives an idea of the richness of the 

the relevance clause. The relevance clause is preceded by the object world derivable in this way in the technical support 

keyword phrase relevant- When: . An expression from the application, 

relevance language follows the keyword. The following 60 Example Relevance Clauses 

discussion describes the currently understood best method The following are examples of relevance clauses as used 

for describing the state of a consumer computer. in a technical support application: 

Descriptive Language Existence of a Certain Application on the Consumer Com- 

The purpose of a relevance clause is to examine the state puter 

of an individual computer and determine whether it meets 65 relevant-When: exists application "Photoshop" 

various conditions which combine to imply the relevance of The intent of this fragment is that application is a property 

a certain advisory. of World which takes an extra string parameter and returns 
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an object of type application. Exists is a property of any 
object, which returns the Boolean True if the object exists. 
If the application named Photoshop cannot be found by the 
method implementing the application property, then the 
result is a non-existent object, for which exists returns the 
Boolean False. 

Comparison of Version Numbers 

relevant-When: version of Control Panel "MacTCP" is 
version "2.02'' 

The intent of this fragment is that Control Panel is a 
property of the World which takes an extra string parameter 
and returns an object of type Control Panel If the Control 
Panel named MacTCP cannot be found by the method 
implementing the Control Panel property, then the result is 
a non-existent object, for which version is not an allowed 
property, and evaluation fails. If the Control Panel named 
MacTCP is found, then version, being an allowable property 
of Control Panels, leads to invocation of a method which 
returns an object of type version containing the version 
number of that Control Panel, recorded in a particular 
format. This result is compared with the result of subex- 
pression version "2.02". This time version refers to a prop- 
erty of World, which takes an extra string parameter and 
returns an object of type version. If evaluation succeeds, the 
result of this comparison is Boolean: either True or False. 
Compare Modification Dates 

relevant-When: modification time of Photoshop Plugln 
"Picture Enhancer" is greater than time "10 January 1997 
12:34:56+0800" 

The intent of this fragment is that Photoshop Plugln is a 
property of the World which takes an extra string parameter 
and returns an object of type Photoshop Plugln. If the 
Photoshop Plugln named PicturcEnhanccr cannot be found 
by the method implementing the Photoshop Plugln property, 
then the result is a non-existent object, for which modifica- 
tion time is not an allowed property, and evaluation fails. If 
the Photoshop Plugln named PictureEnhancer is found, then 
modification time, being an allowable property of a Photo- 
shop Plugln, leads to invocation of a method which returns 
an object of type time. This result is compared with the result 
of subexpression time "10 January 199T*, Here, time refers 
to a property of World which takes an extra string parameter 
and returns an object of type time. If evaluation succeeds, 
the result of this whole expression is Boolean: cither True or 
False. 

Automatic Parsing and Evaluation 

A key purpose of the relevance language is to enable an 
advice provider to publish advisories which can be accessed 
by the advice reader, nmning on a consumer computer, and 
be automatically read to determine, without intervention 
from the consumer, whether the advisory is relevant to the 
consumer. 

In the currently understood best-method, the relevance 
language is implemented as a context free grammar which 
can be automatically parsed into a tree of subexpressions. 
The tree of subexpressions can be understood as an abstract 
structure whose nodes are methods and whose branches are 
subexpressions. 

This tree is represented using a standard notation in 
computer science: 

(node (expr-l)(cxpr-2) . . . (cxpi-n)) 

where node gives the name of the method to be applied, and 
(expr-k) stands for the k-th subexpression to be furnished to 
the metfiod. For example, the expression: 

(2346+(-1234y(l+2))>0 
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can be parsed into the expression tree: 

(> 

(+ (Integer 2346) 
(/ (Integer-1234) 
5 (+ (Integer 1) (lnteger2)) 

) 

) 

(Integer 0) 

The expression: 

exists apphcation "Photoshop" 
can be parsed into: 

(exists (application "Photshop")) 
15 The expression version of Control Panel "MacTCP" is 
version "2.02" parses into: 
(is 

(version (Control-Panel "MacTCP")) 
^ (version (string "2.02")) 

Finally, the expression: 

modification time of Photoshop Plugln "Picture 
Enhancer" is greater than time "Jan. 10, 1997" 
^ parses into 
(is-greater-than 
(modification-time (Photoshop-Plugin "Picture 

Enhancer**)) 
(time (string "Jan. 10, 1997")) 

30 ) 

In short, the goal of parsing is to identify a sequence of 
method invocations to be applied. Procediues for parsing 
context-free grammars into expression trees are well- 
understood (see A. Aho, J. Ullman, Principles of Compiler 

35 Design, Addison-Wesley (1977)). A lexer breaks the input 
into a scries of tokens, la the cuaently understood best 
method, these tokens may take of the following forms: 
[String] A string of printable ASCII characters enclosed in 
quotation marks ("). 

40 [Integer] A string of decimal digits. 
[Minus] The character -. 
[SumOp] The characters +-. 
[PrdOp] The characters */ and the string mod. 

[RelOp] The diaracAer sequences and the rela- 

45 tional phrases and or is not. 

[Phrase] A sequence of one or more unquoted words, a 
word being an alphanumeric string bcgirming alphabetically 
and not containing embedded blanks. Phrases break at 
reserved phrases. 

50 Parsing proceeds mechanically according to a precedence 
table giving the productions of a grammar. In the currently 
understood best method, the productions in the grammar are 
as follows: 
<Goal>:-<Expr> 

55 <Expr>:=<Expr> or <AndClause> | <AndClause> 

<AndClause>:-<AndClause> and <Rclation> | <Relation> 
<Relation>:o<SumClause>[RelOp]<SumClause> | <Sum- 
Clauso 

<SumClause> :=<SumClause>[SumOp]<Producl> 
60 I <SmnQatise>[Minus]<Producl> 

I <Product> 
<Product>:=<Product>[PrdOp]<Unary> 

I <Unary> 
<Unary>:-[Minus]<Unary> 

I [UnyOp]<Unary> 

I <Cast> 
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<Cast>:o<Cast> as [Phrase] 

I <Reference> 
<Reference>:«[Phrase] of <Refereace> 

I [Phrase ][string]<Restrict> of <Rcferencx> 

I [Phrase][integer]<Restrict> of <Reference> 

I [Phrase Jstring] of <RefereQce> 

I [Phrase Jinteger] of <RefereDce> 

I [Phrase]<Restrict> of <Reference> 

I [Phrase][slriDg] 

I [Phrase Jinteger] 

I [Phrase]<Restrict> 

I [Phrase] 

I exists<Referenc6> 

I number of <Refercnce> 

I [string] 

I [integer] 

lit 

I (<Expr>) 
<Restrict>:= whose (<Expr>) 

In this display, word stands for a reserved word in the 
language, [Phrase] stands for a phrase as defined in the 
discussion of lexical analysis on the previous page. 

A grammar can be used to generate a parser by any of 
several means (see A. Aho, J. Ullman, Principles of Com- 
piler Design, Addison- Wesley (1977)). These may include 
automatic parser generators, such as YACC, which create a 
table driven finite state automaton that recognizes the gram- 
mar. The table is created directly from the production forms 
above, and also by hand generation of recursive descent 
parsers based on mimicking the productions of the grammar 
in modules whose naming and internal structure mimic the 
structure of the productions of the grammar 

All such approaches have the same basic result. New 
tokens are input, one-at-a-time, and compared with the 
current state and also with a table giving allowable type and 
mandated action on receiving that token, if any. The man- 
dated action can be interpreted as specifying the individual 
steps in the systematic building up of an expression tree. A 
typical action is that associated with the production: 

<Relation> : - <SumQause>[ RelOp]<Suinaause> 

which could be written, in a standard notation, as: 

$$-($2 $1 $2) 

This is interpreted as follows: $$ refers to the result of the 
production, $1 , S2, $3 refer to the component subexpression 
trees, and the parentheses are notational devices that are 
used to delimit expression trees. This action calls for the 
association of the recognized <Relation> with an expression 
tree. This results from joining expression trees which are 
associated with the left-subexpression and the right sub- 
expression with a root method that compares the two expres- 
sions. Consider the expression version of Control Panel 
"MacTCP** is version "2.02". Consider the state of the parser 
at the moment that it attempts to apply the <Relation> 
production with [RelOp]. The expression tree already asso- 
ciated with the left subexpression, $1, has representation 
(Control-Panel "MacTCP") and that associated with the 
right subexpression, $3, has representation (version (string 
"2.02")). The expression tree associated to the overall 
<Relation> expression is the merger of these two according 
to the pattern (is $1 $3). Hence, the resulting expression tree 
is representable as (is (Control-Panel "MacTCP*) (version 
(string "2.02"))). 
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Associated with each production is an action of appro- 
priate form whidi describes how the tree is built. In certain 
implementations, the tree may only be buHt up implicitly. 

Parsing can continue normally, if at every step of the 
5 parsing the next available symbol matches an allowable 
type; or it can fail, if an unexpected combination occurs. As 
soon as parsing fails, the piece of advice may be declared not 
relevant. 

In the cunently understood best method of implementing 

10 the invention, each valid method is already known to the 
parser at parse time. Unhke some other languages, parsing 
can fail if a clause is syntactically correct but uses phrases 
that name currently unknown methods. 
In the currently understood best method of implementing 

15 the invention, each subexpression takes values which are 
strongly typed and for which the type is known in advance. 
Example data types include integer, string, and Boolean. 
Each method is known at parse time to work with certain 
combinations of data types of inputs and to give certain 

20 definite data types as outputs. Attempts to apply methods to 
forbidden data types are diagnosed as failure of the parse. If 
so, the piece of advice may be declared not relevant. 

At the successful completion of parsing, an expression 
tree is built up consisting in essence of a collection of 

25 method invocations and associated arguments and associ- 
ated data types of those arguments. Evaluation of the expres- 
sion is the process of performing the appropriate method 
dispatching in the appropriate order. 

Evaluation can be successful, or it can fail. It can fail, for 

30 example, from excessive use of system resources, unavail- 
ability of a resource, excessive delay in obtaining a resource, 
or for some other reason. Successful evaluation can yield a 
Boolean value of True or False or some other value. The 
interpretation of a piece of advice as relevant is equivalent 

35 to saying that the evaluation is successful, the value was 
Boolean, and is true. 

In particular, if a certain subexpression caimot be inter- 
preted as a valid expression in the language, if the subex- 
pression attempts to apply methods to forbidden data types, 

40 or if the subexpression cannot currently be evaluated, the 
whole expression can fail, and the advice is automatically 
declared not relevant. 
Extensible Language 

The purpose of the relevance language is to describe 

45 precisely the state of a computer, its contents, attachments, 
and environment. This state can change as the consumer 
purchases new software and/or hardware, or as new 
software/hardware objects are invented. This state can 
change as consumer computers arc used to represent con- 

50 sumers in new problem areas, for example, in personal 
finance, management of commimicating devices in the 
home, or other areas. 

Consequently it is not possible to delimit in advance the 
components of state that may be of interest to which the 

55 invention provides access. It is desirable for the relevance 
language to give future authors the ability to extend the 
relevance language to express concepts about system state 
that have not yet been conceived. 

In one implementation of the invention, the vocabulary of 

60 the relevance language may be extended by the authorities 
and by authors at individual advice sites. 

In that implementation, the relevance language is exten- 
sible by developing dynamically loaded libraries which add 
new vocabulary and semantics to the language and/or 

65 modify existing vocabulary and methods. These are referred 
to herein as inspector libraries and may be downloaded from 
an advice site and installed on a given consumer computer, 
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thereby changing the meaning of the relevance language on 
that computer, and allowing new bodies of advice to be 
interpreted on that computer. 

These dynamically loaded libraries contain declarations 
of the new data types which must be added to the language, s 
of the new properties associated with the data types, of the 
data type resulting when a specific properly is obtained for 
an object of a specific type, and of methods, i.e. executable 
code that implements access to the properties. 
Non-Procedural Language lO 

Unlike many languages used in connection with the 
operation and/or maintenance of computers, the relevance 
language does not need to be procedural. That is, it need not 
specify how to manipulate the contents of various fragments 
of memory. This is the opposite of being descriptive. It is not 15 
necessary to enable traditional procedural services, such as 
loops, assignments, and conditionals. 

On the contrary, making these services available in an 
expansive fashion may pose various security and privacy 
threats, by making it easy for carelessly written or mali- 20 
ciously written advisories to consume excessive resources at 
evaluation time. 

In the cuaently understood best method of implementing 
the invention, procedural services are not made available in 
the relevance language. As inspection of the above grammar 25 
description shows the language has: 

no named variables 

no assignment statements 

no function calls, or at least no expHcil fimction calls with 

variable arguments 
no loops or conditional execution 
These dififerences in appearance between the relevance 
language and other common languages are rooted in the 
following view: 

Because of concerns about unattended evaluation, the 
language should ideally have no side effects on the 
computer or environment. 
To inspire consumer confidence, consiuners must have be 
able to see for themselves that the language has no 40 
effects on the computer or enviroimaent. 
A descriptive language, unlike a procedural one, has the 

appearance of having no side effects. 
In short, the structure of the language and the visible 
limitations should commimicate a message of security to the 45 
consumer. 

The following discussion addresses two key differences of 
the relevance language from procedural languages: 

Function CaUs. The relevance language has method dis- 
patches which correspond to function caUs in some other so 
languages, but they are of a more tightly constrained form. 

First, there are the unary methods and the binary methods 
that occur in arithmetic and logical operations: and, 
or, and similar operations. These can be thought of as 
imary or binary function calls, but they are of a very 55 
restricted form, implementing well understood methods that 
typically pose little danger or resource burden. 

Second, there are unnamed properties such as modifica- 
tion time. 

Third, there are named properties such as application 60 
Photoshop". 

The unnamed properties can be thought of as function 
calls applied to an object, but very bland ones, because no 
parameters are involved. Typically, a property is computed 
by extracting a certain value from a certain slot of a data 65 
structure. They typically pose little danger or resource 
burden. The named properties may be thought of as two- 
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variable function calls. The first variable is the object and the 
second object is the string name-specifier. However, these 
also are not very general operations because the string 
name-specifier, in one implementation, may not itself be a 
computed result. It must instead be string constant. The 
types of calculations that can be specified in this way are 
tightly constrained. Again, typically a named property is 
computed by extracting a certain value fi:om a certain slot of 
a data structure, so it poses little danger or resource burden. 
Loops and Conditional Execution 

The relevance language has no for, while, or if statements, 
but it does have a limited ability to perform iteration. It does 
this using a construct referred to as plural properties. In the 
relevance language there can be both singular and plural 
properties, e.g. both entry and entries properties, the first 
referring to a result which must be a singleton and the 
second referring to a result which may be a plurality. 
Typically, pluralities are further qualified by the use of the 
whose ( ) clause to restrict to subcollections. 

By the plural-singular dichotomy, certain fine distinctions 
of meaning may be maintained. For example: 

exists application "Photoshop" 
has the meaning that there exists exactly one such applica- 
tion; and 

exists apphcations "Photoshop" whose(version of it is 
version "4.0") 

has the meaning that there exists one or more than one 
apphcation called "Photoshop", and among those there 
exists one with version 4.0. 

In the second example, an iteration is implicitly per- 
formed over the collection of aU applications called Photo- 
shop" on the system in question, so the effect of a loop is 
obtained without using traditional procedural programming. 

The restrictions on the expressiveness of the language 
help make the language safer from the viewpoint of privacy 
and security guarantees (see below). Nevertheless, the lan- 
guage is designed to be powerful in that it is intended to be 
highly expressive. A few words in this language provide 
access to answers about the system state which would be 
impossible to obtain in traditional procedural languages 
short of writing hundreds of lines of code and invoking 
many specialized functions in system libraries. 

If an apparent need should arise for the kind of services 
that traditionally are handled by procedural languages, it 
may typically be satisfied by extending the relevance lan- 
guage using the inspector hbrary mechanism mentioned 
earlier, and described in more detail below. This has two 
advantages: 

[Efficiency] Including new inspectors by this extension 
mechanism, rather than by offering procedural services in 
the relevance language, leads to more efficient execution. 
Inspectors typically make available efBcient compiled meth- 
ods of execution, minimizing burden on system resources at 
relevance evaluation time while the relevance language is 
interpreted, which is typically slower. 

[Security] Including new inspectors by this extension 
mechanism allows one to correct problematic situations. If 
a certain complex expression is used in many places and has 
bad side effects, then it can be very hard to correct. If an 
equivalent piece of code is included as an inspector library, 
then one can identify the problematic code by using the 
relevance language to identify whether that inspector is 
installed on the user computer. This makes it possible to 
write counter advisories against advice that depends on 
inspector libraries. 
Consumer-Accessibility 

The relevance language controls the execution of a system 
on a potentially vast rmmber of computers. It is highly 
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desirable, though QOt strictly necessary, for a relevance ways of declaring that certain phrases have a certain mean- 
clause to be something which, in principle, a consumer ing when applied to certain data types, and of systematically 
could read and form an approximate understanding of, organizing that information. Other features, such as 
though few users may choose to do this in most cases. constructors, copy-constructors, and destructors, are ways of 
In the currently understood best method of implementing S defining certain initialize time and teraainate time code 
the invention, the syntax of the relevance language bodies. 

resembles the syntax of plain English, with key roles in the currently understood best method, such features of 

language played by clauses formed from articles such as of, °^«dem object oriented languages are used to provide the 

as, whose, and verbs such as exists. ™^ ^^^'^^^^^ °^ "^«P*^^»°' 

The highly constrained nature of the lan^age fosters lO ""i^^rimplementation, as described above, it is possible 

consumer understandmg The language avoids constructs ^^^^^ ^^^^ ^ ^^^^^ instance of the 

which assume a computer programmmg background by ^^^-^^ ^^^^^^ ^^^^^^ -^^^^^ 

suppressmg concepts such as arrays, loops, and conditional ^^^^ recognized [Phrase]s in the relevance 

evaluation, language, the set of allowable data types at evaluation time, 

Inspector Libraries 15 the set of methods associated with those data types. 

Components of Inspector Libraries short, the relevance language may be dynamically 

Parsing of a clause in the relevance language results, constituted. In one implementation, inspector libraries may 

conceptually, in the generation of a list of method dispatdies be created by advice providers and downloaded to the 

(see FIG. 11), in which certain methods arc called in a consumer computer as part of the site synchronization. Such 

certain order with certain argument lists. This evaluation is 20 libraries may be managed by the advice reader, for example, 

a process of systematically carrying out the sequence of by storage in a well known location, such as a subdirectory 

method dispatches in the appropriate order. Method dis- of the overall directory managed by the advice reader. The 

patches are an important aspect the relevance process. inspector libraries in this directory may be linked into the 

An inspector library is a collection of methods (see FIG. advice reader at the time the advice reader is initialized. 

15) and associated interfaces which allows for the installa- is ^^is linking happens, declaration routines are 

tion of methods into the advice reader. Because of the invoked, mstalhng new [Phrase]s in the lexical analysis 

structure of the parser and the evaluation process, an inspec- ^^^^^ ^« relevance language, and associating these 

tor library may contain some of the foUowing components: [Phrasejs to certain method mvocations. The language 

, r rnt. i* u j - *u i expands in this Way to iucludc oew dcscriptivc possibilities. 

Declaration of a [Phrasel to be used m the relevance r t^/- - 

lanmiaee 30 Layered Language DefiniUon 

_ _ , , The relevance language may therefore be open ended, 

Associauon of that [Phrase] to a specific method. j^^^ ^ ^^^^^ ^^^^ j^^^^ extensions. Hence, to under- 

Declaration of a new data type to be used m the evaluation ^^^^^^ ^ completely installed system is to understand the 

process. layers which have been installed, and to understand the 

Declaration of the calling prototype of the method. This methods that each layer provides. In a typical installation, 

includes the number and the required data types of the these layers are as follows: 

arguments to be supphed to the method, g^se Layer. Contains the basic mechanics of clause 

Declaration of the result data type of the method. evaluation: a number of basic built-in phrases and 

Implementation of that method in executable form. associated methods. It is expected that the base layer is 

Declaration of special hooks associating code to be called 40 the same on every consumer computer carrying the 

on events, such as advice reader initialization, advice advice reader. 

reader termination, beginning of advice reader main System-Specific Layer, This consists of a layer associated 

evaluation loop, and ending of advice reader main with a certain operating system, giving information 

evaluation loop. about the characteristics of a certain family of comput- 

Declaration of special hooks associated with creation and 45 ers and their attached devices and environment. For 

maintenance of special caches associated with the example, such a layer, in one implementation, provides 

method. methods to get the system date and time, the sizes of 

Implementation of special event methods and cache meth- various files, the contents of the PRAM, or the names 

ods in executable form. of attached peripheral devices. 

Conceptually, an inspector library can be linked into the 50 Vendor-Specific Layers. This collection of potentially a 

advice reader with all the declarations evaluated, resulting in large number of extensions layers is typically produced 

changes to the advice reader's internal data structures, so by third parties, giving special access to the internals of 

that new method invocations become available. certain hardware devices and software products. One 

These declarations affect two fundamental data structures can think of potential authors ranging a span of prod- 

of the system. The first is a syntax table giving all allowed 55 ucts from hardware producers (e.g. of cable modems) 

phrases and the associated data types on which they may to software producers (e.g. of Photoshop and plug-Ins) 

operate and the associated data types that result. This is used to service providers (e.g. America On-Line). 

at lexical analysis time. The second is a method dispatch Example: Version Inspector 

table, giving a systematic way to determine the associated The following is an example of an inspector for the 

executable method for a given phrase and data types. This is 60 version property of data type Application under the Macin- 

used at evaluation time. tosh OS. This inspector declares the following: 

Object-Oriented Structure A new [Phrase] to be added to the relevance language: 

A convenient way to implement the above inspector version; 

library structure is to rely on the features of a modern Anew data type, version, which has already been referred to 

object-oriented programming language, such as C++. In 65 in several examples above; 

effect, the built-in features of such a language, i.e. object Several properties of this data type which are available 

declarations, polymorphism, and operator overioading, are imder Macintosh OS: 
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Major Revision. The leading numeric field of the revision 
number. 

Minor Revision. The secondary numeric field of the 
revision number. 

Stage. A String, such as Alpha, Beta. 

Country. A String, such as USA or France. 

Stringl. A String, 

String2. A String. 
Methods, in the form of executable code, which implement 

the above properties by opening the resource fork of the 

application, extracting the desired information, and con- 
verting into the required data types. 
A new named property of World, version, which casts a 

string property specifier, such as the 1.1 in version 1.1, 

into a version data type. 

Upon installation, this inspector makes available to the 
system a series of data types and properties which may be as 
depicted in FIG. 14. As an example, to check if the beta 
version of an application with version number 0.99 is used, 
one might write the relevance clause: 

Stage of application "Netscape Navigator" is "Beta" 
and Minor Revision of application "Netscape Navigator** 
is 99 

and Major Revision of application "Netscape Navigator** 
isO 

Special Inspectors 

The language extension mechanism described above has 
powerful consequences, for example, as described in the 
following: 
OS Inspectors 

A system specific inspector can access the properties of 
the operating system and allow advice to be written to verify 
the existence and configuration of attached devices and other 
subsystems. 

The following is an example of a valid fragment written 
for use with the Macintosh OS inspector hbrary: 

exists serial device "Modem Port" 

The intent of this fragment is to check if this is the type 
of Macintosh having a dedicated modem port, which is to be 
distinguished firom a Modem/Printer Port. The property of 
World referred to as serial device potentially matches sev- 
eral different devices. The qualifier selects from among 
those the one which has the name "Modem Port." If there are 
any such devices, the phrase evaluates to True. If not, the 
phrase evaluates to False. 

input name of serial device "Modem Port" is "Aln" 

The intent of this fi^agment is to check if the modem port 
is using the standard serial driver for that port. The specific 
property of World referred to as serial device "Modem Port** 
is an object with property input name. The fragment checks 
to see if this is equal to .Aln, its usual value in the Mac OS. 

Examples of other properties and data types available in 
the Macintosh OS inspector library include: 

Physical RAM. Property of World. Integer-valued: num- 
ber of bytes of installed RAM memory. 

Logical RAM. Property of World. Integer-valued: number 
of bytes of installed RAM memory and virtual memory. 

Virtual Memory. Property of World. Boolean-valued: 
True if the virtual memory option is enabled. 

PowerPC. Property of World. Boolean-valued: True if the 
CPU is a PowerPC. 

System version. Property of World. Data type: version. 
Version of system \^ch is currently installed, 

ROM version. Property of World. Data type: version. 
Version of ROM which is currently installed. 
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These examples make it clear that one can write relevance 
clauses which target machines having, for example, a small 
amount of memory, outdated ROMs, or old system versions. 
Registry Inspector 
s Modem personal computer operating systems, such as 
Windows 95 and Macintosh OS 8, have special databases 
referred to as registries which record a considerable amount 
of information about the configuration of the system, and the 
installation of certain pieces of software. A registry inspector 
is an inspector library which, when installed in the advice 
reader, enables the relevance language to refer to and 
evaluate properties of the registry database. 
The following is an example on the Macintosh platform: 
22=integer value of entry "APPL.interrupt" of entry "ban- 
dit" of entry "Device Tree** of entry "devices" of 
Registry 

The intent of the fragment is to enter the Macintosh name 
registry, find entry "devices", look for the entry "Device 
Tree** within that, and descend to the subentry "bandit" and 
^ then the subsubentry "APPL.interrupt". The resulting entry 
is then converted into an integer value and compared with 
code 22. 

The registry may contain a vast amount of information 
about the computer on which it operates. The registry 
inspector makes aU this information accessible to the rel- 
evance language. 
Preferences Inspector 

Typical application programs on modem computers, such 
as Netscape and Microsoft Word, have special databases, 
referred to as preferences files, which record a considerable 
amount of information about the configuration of a certain 
program. A preferences inspector is an inspector library 
which, when installed in the advice reader, enables the 
relevance language to refer to and evaluate properties of the 
preferences file of a specific application. 

The following is an example: 

Suppose that the Web browser application Netscape Navi- 
gator has a preferences file, which associates to various 
content types. A helper application knows how to process 
that content type. For example, a helper application associ- 
ated with a graphics file of type JPEG might be JPEGView, 
and a helper application associated with type x-pn-realaudio 
might be RealAudio Player. 

Suppose that an advice provider called RealAudio wants 
to author advisories which target users whose Web browsers 
are misconfigured, and to provide them with automatic 
corrections to the configuration. 

Suppose that there is available a Netscape Navigator 
Preferences inspector and that, after installation of that 
inspector in the advice reader, Netscape Navigator Prefer- 
ences becomes a property of World. 

This provider could then target consumers with RealAu- 
dio products, but improperly configured Web browsers, by 
authoring an advisory with relevance clause: 

exists application "RealAudio Player 4.0*' 

and exists application "Netscape Navigator** 

and ((helper name of entry "x-pn-realaudio** of entry 
"Helper Table"of Netscape Navigator Preferences) 

is not "RealAudio Player 4.0** 
60 ) 

The intent of the fragment is to access the Netscape 
Navigator Preferences file, find entry "Helper Table*', look 
for the entry "x-pn-realaudio" within that, and extract the 
associated helper name. The resulting entry is a string which 
65 is compared with "RealAudio Player 4.0.*' 

The preferences file of a modem software application 
contains a considerable amoxmt of information about the 
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working of the application, and a preferences inspector 
makes all this information accessible to the relevance lan- 
guage. 

Database Inspector 

Many consumer computers contain, either explicitly or 
implicitly, a commercial database which stores information 
about the consumer. Examples include: 

Databases associated with personal finance programs. 
Consumers who tise Check Free, Quicken, and similar 
programs implicitly have databases on their machine. 
Databases associated with small office stiites. Consumers 
who arc running small businesses have customer 
databases, supplier databases, and accounting data- 
bases on their machines. 
A database inspector is an extension to the base relevance 
language whose purpose is to allow the relevance language 
to access fields in a database. An example syntax is as 
follows: 

numeric field "CURRENT BALANCE" of FoxBase 
Database "PersonaLDBF" <0 

The intent of this fragment is as follows: The advice 
provider is attempting to reach consumers who use Check- 
Free. Users of ChcckFree have a FoxBase-created database 
resident on their machine which is identified as Person- 
aLDBF. The fragment intends to reach such consumers 
whose current bank balance, as indicated by the database, is 
negative. The semantics of the evaluation depend on the 
implementation of the FoxBase Database inspector. 

It may be assumed that this works as follows: A database 
named Personal.DBF is located on the consumer computer's 
mass storage, is interpreted as if in FoxBase formal, and the 
numeric field with field name CURRENT BALANCE is 
extracted. The fragment then compares the extracted value 
to the value 0. 

Note that if the consumer does not have a database of the 
indicated type, the clause above fails to parse or fails to 
evaluate. Either way, it is not declared relevant. This reduces 
the need to worry about qualifying clauses of this type by 
lengthy preambles which check if the software of a certain 
type is available. Parse time failure could occur because the 
consumer computer does not have the FoxBase Database 
inspector installed. Evaluation time failure could occur 
because the file Personal.DBF cannot be located. 

An application of this technology is in the technical 
support arena. Suppose that an advice provider pubhshes 
software which, as with CheckFree, creates and manages a 
database, and the provider would like to help consumers 
keep the database well updated. The advice provider could 
author advisories which target common problems in the 
consumer database, e.g. consumers who forgot to initialize 
the database with the correct balance. Sucb advisories would 
call these problems to the attention of consumers who have 
them, as well as specifying solutions to the problems. 
User Profile Inspector 

The invention maintains a file or files offering a user 
profile, consisting of certain identifying phrases and asso- 
ciated values. 

A user profile inspector is an inspector library that can be 
installed in the advice reader and which enables the rel- 
evance language to refer to data stored in the user profile. At 
a high level of abstraction, this is the same type of function 
that is enabled by the database inspectors or registry 
inspectors, only with a different database being inspected. 

As an example of how such an inspector might be used, 
suppose it was desired to reach users with Zip Codes of the 
form 947XX. Supposing that the user profile has a variable 
referred to as Zip Code, the relevance cla\ise: 
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947=(valuc of variable "Zq) Code" of User Profile as integer)/100 

would provide the needed functionality. The intent of this 
clatise is as follows: The user profile is inspected, the 
variable named Zip Code is extracted, it is converted from 

s string to integer, and the resulting integer is divided by 100. 
The two trailing digits arc lost in the process, leaving an 
integer with three digits that may be compared to 947. 

In one implementation, the user profile is a dynamically 
expanding database, with new variables added as advice 

10 providers need them. A mechanism is provided so that an 
advice provider can author a template file which describes a 
collection of variables to which the advice provider plans to 
refer in advisories and would like the consumer to specify. 
The template file is placed at the advice site and is auto- 

15 matically gathered at synchronization time. The template file 
is used to drive an editing module on the consumer computer 
which presents the user a Ust of the template variable names 
and a list of their current values or blanks if they have not 
previously been defined. The user can then fill in the blank 

20 fields and edit other fields. In this way, the variables which 
the provider wants defined can be brought to the attention of 
the user and edited. 

The portion of the user profile associated with the specific 
advice site in this way is called the site profile. The advisory 

25 with relevance clause: 

not exists Data file of site Profile 
checks whether the site profile has been initialized for this 
site. If not, the advisory should have, as human-inlerpretable 
content, a message which indicates that the advice provider 

30 would like the user to fill out the user profile variables 
needed for correct functioning of advice associated with that 
site. It should have as computer interpre table content an 
invocation of an editing module which uses the new tem- 
plate to present the user with choices for editing a new user 

35 profile. 

The advisory with relevance clause: 

Mo<lifi.cation Hme of Data file of site PTofile<Modificatton Time 
of Tfemplate file of site Profile 

checks whether the site profile has been updated since the 
last new template file. If not, the advisory should have, as 
human interpretable content, a message which indicates that 
the advice provider would like the user to add some new user 
profile variables needed for the future correct functioning of 
advice associated with that site. It should have as computer 
interpretable content an invocation of an editing module 
which uses the new template and the old profile to present 
the user with choices for editing. 
Remote Inspector 

In principle, inspector libraries can also give the relevance 
language the ability to inspect properties of other commu- 
nicating devices. These include: 
Remote Physical Measurements. Ask other devices for 
information which those devices can measure, the 
information possibly to include position, temperature, 
voltage, or status of a process. 
Remote Device Queries. Ask other devices for informa- 
tion about themselves or about their state. 
Remote Computation. Ask other computers for the result 
of a calculation, for example a calculation specified by 
a formula, program, or script provided by the inspector. 
Remote Database Queries. Ask other computers with 
databases to answer queries concerning contents of 
those databases. 
65 Remote relevance Invocation. Pass a relevance clause to 
another computer and obtain the result, as evaluated by 
the other computer in that computer's environment. 
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The following is ao example of a remote physical mea- 
surement. Suppose there is an inspector library which 
defines a property of the World called Internet atomic clock 
and which has the ability to make queries to an authoritative 
timekeeper by Internet protocols that can retum the result as S 
a relevance language time data type. Suppose that it also 
defines a properly of the World referred to as system 
Greenwich Time which gives the Greenwich Mean Time 
equivalent of the system clock. The following relevance 
clause targets consumers whose system time is incorrectly lo 
set: 

abs ((Greenwich Time of Internet Atomic dock) — System Green- 
wich Time)>timc "10 Seconds" 

The following is an example of a remote device query. 
Suppose there is an inspector library which defines a prop- 
erty of the World called network Postscript printer and 
which has the ability to make queries to the currently 
selected printer to determine if it is properly configured. A 
valid relevance clause is: ^ 

Model of Network Postscript Printer is "LaserJet 5" and ROM 
Version of Network Postscript Printer <vcrs ion "2.0" 

which targets those consumers with LaserJet 5 printers 25 
having old ROMs. 

The following is an example of a remote database inspec- 
tor Suppose that the advice provider is a large organization 
that serves a population of advice consumers who are 
employees, who have small hand held computational 30 
devices, and who keep important data on a remote computer 
which has a trust relationship via security handshaking with 
these small devices. Suppose that the employees use orga- 
nizational data which is accessible via a Lightweight direc- 
tory Access Protocol (LDAP) database server accessible 35 
over Internet (see W. Yeong, T. Howes, S. Kille, LDAP 
(Lightweight Directory Access Protocol), Intemet Standards 
Track RFC 1777(1995)). The advice provider would like to 
serve up advice which asserts conditions about the employ- 
ees assigned project which is not available on the hand held 40 
madiine, but instead is available by LDAP queries to the 
LDAP server. Id addition, it asserts conditions about the 
employees status which are only available on the hand held 
machine. 

The provider develops an inspector library which can 45 
access data on the LDAP server, and an inspector^hbrary 
which can access data on the hand held device. Suppose that 
-the installation of these inspectors includes steps to config- 
ure the LDAP queries with appropriate passwords and 
appropriate usernames. A valid phrase in the relevance 50 
iariguage is: 

sponsor of assigned project of Employee LDAP record is 
"U.S. Government'* and (per diem charges of current 
daily expense of Employee Handheld record>35) 

The intent of this firagment is for a certain enUry to be 55 
extracted from the LDAP database associated with this 
employee, and the sponsor name compared to "U.S. Gov- 
ernment." If that condition holds, the current travel expense 
record is queried for a per diem claim. 

Ibis approach provides a way of anonymously and pro- 60 
actively targeting employees listed in the organizational 
database as subject to a per diem rate lower than the 
expenses they are generating. Thus, the invention provides 
a method of checking expense claims during travel, well 
before submission. 65 

Important issues arise in the specification of the interfaces 
with remote systems. One aspect is that there must be a trust 
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relationship between the consumer computer requesting the 
remote service and the other device or computer fulfilling 
the request to allow automatic evaluation of relevance. The 
communications must be encrypted in some cases. The 
degree of resource use must be monitored. Digital authen- 
tication must be available in some cases. These are all details 
thai can be handled by well-known mechanisms. 

The provision of a process whereby an advice provider 
can author advisories which refer not only to properties of 
the consumer computer and its environment, but also to 
properties accessible by query firom the consumer computer, 
creates a new commimications protocol described below, i.e. 
the personal information access protocol. 
Inspecting Program Log Files 

Many computer software applications and processes 
maintain a log file or files the contain a record of the history 
of execution of the application or process. Standard 
examples of this include transaction logs kept by mail 
servers and by login daemons, backup logs kept by backup 
software, and error logs kept by user programs. 

A program log inspector is an inspector library that can be 
installed in the advice reader and which enables the rel- 
evance language to refer to data stored in a certain log file 
or files. At a high level of abstraction, this is the same type 
of function that is enabled by database inspectors, registry 
inspectors, or user profile inspectors, only with a different 
database being inspected. 

Such an inspector library defines access methods the 
allow one to obtain key data items from log files. 

As an example of how such an inspector is used, suppose 
it was desired to reach users who run the apphcation 
GraphMaker, where the log file generated by Graphmaker 
contained an error entry with error code 93456. 

Suppose that this error code indicates that a certain 
PostScript printer was unable to process the file output by 
Graphmaker. It is desirable to communicate to consumers in 
this situation the fact that there is a workaround for this 
problem. Suppose that Graphmaker has an inspector library 
available at its advice site which implements a set of 
methods associated with the central data type, which is 
referred to as GraphMaker error log. Assume that when this 
inspector library is installed in the advice reader, Graph- 
Maker error log is a property of World. Assume that Graph- 
Maker error log has a property referred to as enUry, and that 
the result of such a property is an object of type GraphMaker 
error log entry with properties error code and error message, 
yielding integer and string data types, respectively. Then, 
there: 

exists entries "Erroi" of GraphMaker cnor log whose (Error Code 
ofit^3456) 

provides the needed functionality. The intent of this claiise 
is as follows: The file associated with the GraphMaker error 
log is located and opened, and a search is made through this 
file for entries of type error as opposed to warning. These 
entries are examined to determine if any of them is associ- 
ated with an error code of the indicated type. 

This enables a technical support organization to develop 
a process for maintenance of complex products in the field 
where: 

The product is developed so that exceptional conditions 

are identified and logged; 
Inspectors for this log are developed and published at an 

advice site; and 
Advice is authored which inspects the log to identify and 

correct problematic situations. 
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In this way a technical support organization can target this is relevant is notified, first that they should resubscribe 

consumers experiencing certain program faults. to the site if possible, and second that yih&n they do they get 

Inspecting the Advice System instructions about updating the patched code. 

The advice reader maintains subscription information, Second, the strategy formulates an advisory for users who 

pools of advisories and, in one implementation, logs that s have never subscribed to the advice site and never received 

indicate the history of relevance evaluation and of automatic the earlier advisory. This advisory checks if the affected 

solution operation. version of GraphMaker is installed, and then sees if the 

An advice system inspector is an inspector library that can current subscription database shows no active subscription, 

be installed in the advice reader and which enables the and also if the log shows no formerly active subscription, 

relevance language to refer to data stored and managed by Any consumer for whom this is relevant is notified, first that 

the advice reader itself. At a high level of abstraction, this is they should subscribe to the site if possible, and second that 

the same type of function that is enabled by database when they do they get instructions about updating the 

inspectors, registry inspectors, or user profile inspectors, patched code. 

only with a different database being inspected. Third, the strategy formulates a counter-advisory for users 

Such an inspector Hbrary defines access methods the , "^^^ ^^^vc somehow obtained a copy of the former advisory 

aUow one to obtain key data items from important compo- "^^^^ ^^^^ subscripUon, and which is somehow 

nents of the system* active in the advice database. Such an advisory is not 

The subscription database: Existence or nonexistence of automatically deleted by site synchronization because it is 

certain subscriptions, address of advice sites associated "°' ^.l" originaimg advice site. TTi^ advisory 

with certain subscriptions, synchronization schedule ^ identifies the existence in the advice database of the old 

associated with certain subscriptions, digital authenti- advisory. Any consuiner for whom this is relevant is notifled, 

cation information associated with certain first that this active advisory is no bnger avowed by its 

subscriptions, other interesting attributes. author, second that «ie consumer should subscribe to the site 

i-^- if possible, and third that when they do they get mstructions 

The advice database: Existence or nonexistence of certain . »uj j 

,. -..j j.. ni -1 about updalmg the patched code, 

advisory in the advice database. Relevance or irrel- 9< o *ir* j • j i_ - * tu 

J. ^ Suppose that advice reader has an inspector library 

evance of certam advisory m the advice database. . „ j i.- ». • i * . r .u j • . i -.i. 

„ . , • * r • 4U • *i. msulled which implements a set of methods associated with 

Existence or nonexistence of certain author in the * i j * . r j * j • xt * l • 

^ . c ^ ' three central data types, referred to as adviceNet subscrip- 

advice database. Existence or nonexistence of certain ... , j • kt * ^ • • * a A,r-^^iJlt 

, . J . J , . tion inspector, adviceNet advice mspector, and adviceNet 

^subject in the advice database. history inspector. 

TTie advice readers log files: Existence of a subscripUon to 30 with such inspectors one may target consumers who may 

a certain site sometme in the past. Existence or nan- ^^^^^ ^^ proposed solution of the advisory in the 

existence of certain diagnostic condiUons, for example, , currently subscribe: 

aborted evaluation of certain advisory due to excessive .. i.„.„„„ ..r-^.^Kk/i.i,^," ,„l„^..<.^,•.oJ^r. «f 

J. _/ <;_.• exists application GraphMaker whoselversion 01 it is 

time to evaluate an advisory. Relevance of certain version "1 01") 

advisory at some time in the past. Acceptance by user 35 , ^ .' ■', r ,• x, . o l 

Of an automatic solution operator associated with cer- .^^^^ '^'^ "GraphMaker' of adviceNet Sub- 
tain advisory at some time in the past. f ^P^°° mspector 
Tlie advice readers configuration: InstaUation of certain and exists entry 're cvant of ad^aceNet History mspector 

inspectors. Parameters of advice reader operation. User Y^f^"'^ 

Preferences 40 identifier of it is "98/01/08-1" and 

As an example of how such an inspector is used, suppose adopfion status of it is "Accept") 

that in January 1998 a special piece of patch code was . T^^Ta ""^^ consumers who 

released which modified the application Graphmaker. Sup- subscnbed: 

pose that most consumers who installed this patch learned of ^^sts apphcaUon "GraphMaker" whosc(vecsion of it is 

it through the advisory process described herein. It is desired 45 version 1.01 ) 

to reach users running the application GraphMaker which at and not exists entry "Subscription" of adviceNet History 

some point in the past, prompted by an advisory, had inspector 

installed the patch to the Graphmaker application. Suppose whose (name of it is "GraphMaker") 

this is because an improved version of the patch has become With such inspectors one may also target consumers who 

available. 50 received the advice by other means than subscription: 

A comprehensive strategy for this situation formulates exists application "GraphMaker" whose(version of it is 

several advisories. The strategy formulates an advisory for version "1.01") 

users who have a current subscription to the advice site. This and exists entry "Advisory** of adviceNet advice Database 

is prosaic in construction, and uses mechanisms described whose (author of it is "GraphMaker" and identifier of 

earlier. However, a comprehensive strategy also formulates 55 it is "98/01/08-1") 

three other advisories intended ultimately for other users: These inspectors enable a technical support organization 

First, the strategy formulates an advisory for users who no to develop a process for maintenance of bodies of advisories 

longer subscribe to the advice site, but who may have done and to adapt to the consequences of adoption/non-adoption 

so at some time in the past. The advisory is distributed by of previous advisories. 

various means outside the normal subscription mechanism 60 A second type of example is provided by the case where 

of the invention, for example through a service, e.g. Urgen- an advice provider RealAudio wants to author an advisory 

tAdviceNet. This advisory looks to see if GraphMaker is checking whether a certain inspector is installed and is the 

installed, to see if there is no active subscription to the correct version, for example, because advice depends on 

GraphMaker advice site, and then at the log file generated by this. Assume that there is an inspector library which, when 

the advice reader to see if Graphmaker advisory "98/1/08-1" 65 installed, adds adviceNet configuration as a property of 

was relevant at some time in the past and if the user had World. RealAudio could serve up advice at its site with the 

accepted the proposed solution. Any consumer for whom relevance clause: 
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not exists inspector library "Netscape Preferences" of 
adviceNet Configuration 
allowing one to check that an inspector library was not 
installed. The humanly intetp rotable content of the associ- 
ated message is an explanation that for RealAudio advice to 
work properly, the user should get the appropriate inspector 
from the Netscape site. In addition, it could serve up advice 
qualified by: 

version of inspector library "Netscape Preferences" of 
adviceNet Configuration is not version "1.0" 
to target users with the wrong version of an inspector library. 

Such an inspector enables a technical support organiza- 
tion to make sure that the advice reader is correctly config- 
ured to use the advice provided by that organization. 
Variations 

Altemate Transport Medianisms 

So far, the discussion herein has centered around a single 
mechanism for the transport of advisories. In fact, there are 
many situations where other means of transport are useful 
and/or desirable. Some such means of transport include: 
advice by physical transport. An advisory may arrive at 
the consumer computer by file copy from a floppy disk, 
CD-ROM, or similar physically transportable medium, 
advice by e-mail. An advisory may arrive as part of an 
e-mail message, routed from another consumer, or fiom 
an advice provider, 
advice by USENet. An advisory may arrive as part of a 
news message distributed according to the USENet 
protocol, posted by another consumer, or by an advice 
provider. 

advice by proprietary protocol. An advisory may arrive as 
part of a message distributed according to a proprietary 
protocol. 

advice by file transfer. An advisory may be obtained by 
file transfer from another machine, where said transfer 
uses an application other than the advice reader. For 
example, a user might direct a Web browser to down- 
load an advisory file that is pointed to by a hypertext 
link. Or, an application might direct the downloading of 
an advisory, without user control, using FTP or some 
file sharing protocol. 

There are three different procedures for treating advice 
that has arrived by one of these routes: 

Adding to advice database. The advice is added to the 
existing database of advice being tested continually for 
relevance. 

Situational evaluation. The advice is evaluated for rel- 
evance when opened, but not entered into any perma- 
nently maintained pooL When closed, the advisory has 
no interaction with the system. This type of advice is 
part of a manual check, for example, in a once only 
situation. 

Stockpihng. The advice is stored on the coasumer com- 
puter's storage device for future use. This means that at 
some future time it is added to the advice database or 
at some future time it undergoes one-time evaluation. 
The possibility of situational evaluation, i.e. situational 
advice, bears special notice (see FIG. 16). This can be used 
to create rather complex digests of advisories which arc 
opened by the consumer only when special needs or situa- 
tions arise. 

The following are examples of altemate transport mecha- 
nisms appUed in the technical support application area: 
advice before purchase. An advice digest arrives at the 
consumer computer as part of the shopping process for 



i6,664 Bl 

42 

a new piece of software or hardware on the consumer 
computer. This collection may arrive by physical trans- 
port of media or by electronic transfer, for example, the 
consumer may obtain the digest from a Web site 
5 devoted to shopping. The digest, when processed by the 
advice reader, evaluates the consumers hardware situ- 
ation and informs the consumer about its suitability for 
various possible purchases. The process is typically run 
only once. 

10 advice with installation. An advice digest 160 may arrive 
at the consumer computer as part of the installation 
process for a new piece of software or hardware on the 
consumer computer. This piece of software may have 
arrived by physical transport of media 161 or by 

15 electronic transfer 162. The new advisories may be 
added as part of an automatic initialization process 
whereby a subscription is automatically initiated and 
the advisories are placed in the advice pool as a way of 
initiating the local site image. An optional synchroni- 

20 zation of the user location with the advice site may 
occur 163. The user reader opens the advice digest 164 
and evaluates advice relevance 165. Advisories are 
displayed with optional solutions 166 and the user 
reacts to the advisories 167. The system may perform 

^ a standard software installation 168 and enter a sub- 
scription to a post-install advice site 169 to receive 
post-install advisories 170. 
problem diagnosis. An advice digest may arrive at the 
consumer computer as part of the installation process 
for a new piece of software or hardware on the con- 
sumer computer However, no use is made of the digest 
at installation time. Instead, the digest is copied onto 
the storage device of the computer. Later, the user is 
informed to open the digest by any of several means for 
situational use when a certain problem arises. Upon 
doing so, the user is notified of various advisories 
which apply to this specific situation and hardware/ 
software/settings configuration. After the episode is 
over, the advice is closed, perhaps to be reopened at 

^ some later time for possible reuse. 
Alternate Notification Mechanisms 

Advisories can be presented to the user in other ways than 
through the usual advice reader interface. For example: 
Via Notify Box in Other Applications. The user may be 
notified of the existence of a relevant advisory while 
using another application. Notification uses a mecha- 
nism appropriate to that application. For example, the 
consumer is engaged in another activity, e.g. viewing a 
video, and is notified m an unobtrusive way, e.g. in this 
case by pictm:e-in-picture. 
Via Desktop/Screen Saver. The user may be notified of the 
existence of a relevant advisory when he is not using an 
application. Notification uses a mechanism appropriate 

55 to the default presentation. For example, the desktop 
has an animated icon depicting the existence of relevant 
advisories. Another example, a screensaver presents an 
animated presentation whose state indicates status of 
madiine, e.g. subsystems affected by advisories. 

60 Via e-mail. The user may be notified of the existence of 
a relevant advisory by electronic messaging using 
e-maiL This includes textual sununaries indicating the 
number and type of relevant advisories and the number 
and type of affected system components. 

65 Via messaging. The user may be notified of the existence 
of a relevant advisory by electronic messaging driving 
other modalities of information transmission. This may 
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include standard means of coaimunication, such as 
pager, pbone^ and fax transmission. For example, in an 
environment where consumer appliances are connected 
to a computer in the home, the invention inspects 
properties of the devices and pages the consumer with 
urgent messages. An advisory is written referencing the 
temperature in the home, with the effect that if the 
temperature were excessively high or low, an advisory 
is relevant. Assuming that the relevance notification is 
set up to use alphanumeric paging, the consumer is 
paged to indicate that the temperature in the house was 
out of normal boxmds. 
Frequency of Relevance Evaluation 

As so far described, relevance evaluation is a process 
carried out by the advice reader. A typical implementation 
continually evaluates all advice in the advice database for 
relevance, metering total CPU resource usage, and keeping 
resource consumption measured over intervals of, e.g. 1 
second, below a certain fraction of available CPU time. 

A typical implementation allows user involvement in 
three ways: 

First, by allowing the user to set parameters controlling 
the fraction of CPU resource xised during continuous evalu- 
ation. 

Second, by allowing the user to group advisories into 
special pools which arc evaluated according to a differing 
schedules. For example, a manual pool is evaluated only 
under manual evaluation, while a nightly pool is evaluated 
only at a certain user specified time in the evening. 

Third, by allowing the user to schedule relevance evalu- 
ation for an individual piece of advice manually, overriding 
all pool membership parameters. 

There are a variety of important variations on this 
approach: 

Skipping evaluation. In certain settings, it may be desir- 
able not to evaluate each piece of advice in a pool with 
each pass through the pool. For example, those pieces 
of advice which take a very long time to evaluate are 
periodically skipped, or skipped based on the CPU 
usage of other applications r\mning on the consumer 
computer. A piece of advice which is unevaluated 
retains the relevance status of the previous evaluation. 

Scheduling based on author comments. In one 
implementation, the author of the advisory can specify 
the scheduling of relevance evaluation. He includes in 
the advisory file an Evaluate-When line that specifies 
details of evaluation scheduling. Options may include 
either a periodic schedule for relevance evaluation, a 
condition for relevance evaluation, or membership in a 
well known advice pool with a standard evaluation 
schedule. 

Scheduling based on advice reader analysis. The process 
of evaluating relevance may be viewed as analogous to 
the process of running various processes in a computer 
operating system. Using traditional operating systems 
scheduling ideas, it is possible to allocate priorities to 
advisories and to assign lower priorities to certain 
processes. A special case of this is the procedure 
skipping evaluation, discussed above. 
Variations in Relevance Evaluation 

Simulated Conditions. In certain situations (see FIG. 17), 
it is useful to the consumer to simulate evaluation of advice 
in an environment other than the one which actually obtains. 

In one implementation of the advice reader, a method is 
provided to simulate conditions which do not in fact obtain. 
Such an advice reader has a modification to the method 
invocation dispatcher of the advice reader. In this 
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modification, the name of the method and the involved data 
types are compared with a simulation table 172 in a proxy 
layer 173 before a method dispatch occurs. The simxilation 
table contents are user editable 171. If there is no match,, 
5 dispatch occurs as normally, i.e. an advisory received from' 
an expression tree evahiator 174 is dispatched by the method 
dispatcher 175. If there is a match, dispatdi is suspended, 
and instead the value of the method is obtained by look-up 
from the associated cell of the simulation table. The result in 
10 either case is passed by the proxy layer to the system, e.g. 
to the file system inspector 176 or registry inspector 177. 

Such an implementation allows the consumer to simulate 
conditions. The consumer overrides the usual relevance 
evaluation procedure by editing the simulation table, and by- 
15 instaUing names of methods and argument types to be 
bypassed and the associated values to be returned. 
In this way it is possible to provide a tool to: 
Pretend the existence of devices which are typically 
connected, but are currently unreachable; 
^ Determine whether a certain advisory or family of advi- 
sories goes away (i.e. become irrelevant) if certain 
modifications to the consumer computer are made, 
without actually making the modification; 
Determine if the installation of a product causes certain 
^ advisories to become relevant. 

There are many other applications of this approach. 
User filtering. It has been tacitly assumed that a user 
typically wants to see all relevant advisories from all 
sites. In practice, a user might be interested in filtering 
the display of advisories, focusing on items from a 
certain site, firom a certain pool, focusing on advisories 
which exhibiting certain keyword labels in the Refers- 
to or Solution-Affects. 
Promotion of Trust 

The invention provides a powerful tool for connecting 
advice consumers with advice provided by advice authors. 

In certain settings, the invention must be security and 
privacy aware. For an extensive discussion of security and 
privacy considerations, see below. A typical instance of such 
a setting is where invention is: 
connecting an advice provider and a provider consumer 

via a public network, such as the Internet; 
the typical advice consumer is a lay person; and 
45 the advice provider is a large business or other concern 
which needs to protect and enhance its reputation. 
In such a setting, it is important to take into account the 
widely perceived insecurity of public networks, and to offer 
tools so that consumers and providers behave wisely. 
5Q The communications process disclosed herein is designed 
to support the development of wise habits on the parts of 
both advice consumers and advice providers. A cornerstone 
of the process is that users should only interact with trusted 
providers, and to this end, the invention provides technology 
55 supporting the evaluation of trustworthiness by consumers 
and maintenance of trustworthy status by providers. 
Importance of Trust 

In general a trustworthy advice site has several qualitative 
attributes. 

Quality. The advice is perceived by consumers as being 
well-intentioned, well-conceived, and well-executed. 

Security. The advice is perceived by consumers as being 
secure, having no intent to harm, and having both an 
intent to help and being carefully tested and responsibly 
65 maintained. 

Privacy. The advice is perceived by consumers as being 
private, having no intent to snoop or pry, and having 
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both an intent to keep private and'^being carefully feature to simplify his Ufe. He would declare irrelevant all 

designed and responsibly maintained to maintain that advisories referring to the CD-ROM drive in their keywords 

intent fields, and then afterwards detach the CD-ROM drive. In 

Relevance. The advice is perceived by consumers as this way, even if there were advisories ordinarily triggered 

being tightly targeted, having no intent to go to wide 5 by the non-existence of an attached CD-ROM drive, the user 

1 c ij u J 4 Au- would not have to see them. For an alternate mechanism, see 

populations of users as would a broadcast message (this ^. r • i ^ j j -^* l 

f ^. ^ „ J ' • \t. the discussion of simulated conditions above. 

IS a practice soinetimcs called spamnung m other Consumer confidence may also be bolstered by allowing 

messagmg modahties, such as e-mail), and having both ^^^^ ^jj/^^ ^^^^ ^^^^ keywords, 

an mtent to reach narrow groups of consumers with a example, suppose that an available keyword reveals 

focused need to know, and bemg carefully designed and lo ^^jj^^^j^gj. identity to a provider. By using this when it is the 

responsibly maintained to achieve that intent. case, a provider has disclosed the effects of a message. A 

The invention offers a number of technological tools consumer who, as a matter of policy does not participate in 

facilitating open communication between consumer and surveys and similar information gathering advisories could 

provider which lead to proper attributions of trust. The specify that all advisories which contained this keyword 

invention, in one implementation, may offer mechanisms is should be declared irrelevant. In this way, the provider has 

allowing interested providers to promote consumer trust and done his duty to disclose and the consumer who trusts the 

consumers to learn how to discriminate between trustworthy provider is rewarded with the ability to see only the impor- 

and tmtrustworthy providers: tant messages. 

Disclosure. Advice providers may have the ability to Discovery Mechanisms , . 

disclose the potential effects of advice, to describe /° ^ typical unplementaUon, the advice consumer can 

^« tu* fi^\A mform himself of potential impacts of a piece of advice 

expenenccs durmg testing or m the held. ^ _ , . . ^ . . ^- 

^. . . before decidmg to apply the recommended solution opera- 

Discovery. Advice consiuneis may have the ability to g^^^ „f ^^^^ ^e done using existing Internet 

learn about the potential effects of advice, and about the i^^t^^y -j^^ consumer can query other Web sites and 

expenences of others with certain advice provider, or ^ ^^^^ ^^^^ ^^ ^ ^^^^ ^ ^^^^ ^^^^^ ^ 

With certam advice sites. advisory 

Feedback. Advice consumers may have the abihty to invention extends this mechanism through a special 

comment on their experiences with certain pieces of internet server, referred to as the Better Advice Bureau. The 

advice. Belter Advice Bureau serves as a central clearinghouse for 

Correction. Advice providers may have the ability to 30 information about the effects and side effects of advice. The 

retract faulty advice. user can at any time query the Better Advice Bureau, asking 

Certification. Advice providers may have the ability to for any recorded comments about a specific advisory or a 

seek certification of their advice as safe and effective by specific site . 

an outside ratings service. The advice reader may have Feedback Mechanisms 

the ability to block advisories which are not rated in 35 In a typical implementation, the advice consumer can 

accordance with the consumer specifications. provide feedback to the advice provider and to other con- 

The following is a more detailed discussion of these sumers describing user experience with a piece of advice, 

medianisms. Some of this may already be done using existing Internet 

Disclosure Mechanisms technology. The consumer can use e-mail and USENet 

The invention offers advice providers the ability to 40 newsgroups to notify others about experience with a certain 

describe, in the humanly Interpretable component of the advisory. 

message, the potential effects of advice, about the experi- In one implementation, the invention extends this mecha- 

ences of the advice provider in testing or from user feed- nism through a special Internet server referred to as the 

back. Better Advice Bureau. The Better Advice Bureau serves as 

By using several methods of disclosure, an advice pro- 45 a central clearinghouse for information about the effects and 

vider can gain consumer trust and visibility. side effects of advice. The user can at any time submit to the 

In one implementation, a more formal method of docu- Better Advice Bureau Web site (described below), recording 

menting and monitoring the effects of the advice is offered, comments about the specific advisory or the specific site, 

enabling an advice provider to disclose names of potential The Better Advice Bureau can relay those comments to the 

effects through stereotyped keywords. 50 advice provider, who can respond to them. In one 

A central authority, such as Better Advice Bureau, pub- implementation, the Better Advice Bureau protects the iden- 

Ushes a registered list of keywords which are used to tity of the consumer by stripping off identifiers before 

describe the subsystems of the user computer or its envi- maihng or posting. The Better Advice Bureau compiles all 

ronment which may be affected by the proposed solution, or the information submitted by consumers, and provider 

the effects of the proposed solution on personal privacy. An ss responses, into a database available for queries over the 

advice provider, in authoring advice, uses this mechanism to network. 

disclose potential effects of a recommended solution opera- In one implementation, the advice reader offers a direct 

tor through stereotyped keywords in a header line Solution- access to this feature by including an easy way to create a 

Affects. message automatically about a certain advisory in the stan- 

In one implementation of the advice reader, these key- 60 dard advisory display, and address it to the authorities at 

words are searchable, and indexable and relevance evalua- Better Advice Bureau. For example, a button is placed as 

tion is subsidiary to it. part of the advice browser window. By clicking on that 

Consumer ease of use may be bolstered, in one button, a mailer window opens up with the sending and 

implementation, by allowing various kinds of user side recipient addresses, and with the advisory niunber and 

filtering based on these keywords. For example, a user 65 subject already supplied. The user is then always one cHck 

plagued by enormous numbers of advisories whenever he away from being able to record a commentary about certain 

detached the CD-ROM drive temporarily could use this advice. 
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Correction Mechanisms 

In a typical implementation, the advice provider can 
disown advice that it has posted in error. This is done by 
removing the advisory from the provider's advice site. Over 
time, as subscribing advice readers synchronize with the 5 
provider's site, the advisory automatically disappears from 
those consumer computers. 

In certain settings, this is not a sufBdently proactive 
solution. For example, certain advisories may be distributed 
by means other than the usual the advice reader/advice site 
model. To the extent that certain consumers may have such 
advisories in their advice pool, but without associating them 
with a subscription, they need to be dealt with by a counter 
advisory. This is an advisory which acts as advice against 
another piece of advice. Using an advice inspector Kbrary as 
described above, it is possible to write an advisory that is 
relevant when the consumer computer has a certain advisory 
in its main advice pool. Such an advisory is typically as 
follows: 

The advisory 40139 whidi we released on May 31, 1998 ^ 
has been recalled, and we recommend that you delete 
it from your advice system immediately. 
If you agree to this, click the <Dolt> button below. 

(signed) <Authors Name>. 
Such counter advice is distributed by submitting it to ^ 
UrgentAdviceNet, a special advice site to which all advice 
readers subscribe. The piece of advice is rapidly diffused to 
users. 

In summary, the invention offers the following process for 
dealing with faulty advice: 

Removing the bad advisory from the providers advice 
site. 

Writing a counter advisory and submitting it to Urgen- 
tAdviceNet. 

Writing a better advisory. 35 
Placing the better advisory at the providers advice site. 
Certification Mechanisms 

One technique to further consiuner acceptance of the. use 
of advisories and the associated solutions is to remove some 
of the burden for determining the trustworthiness of mes- 40 
sages from the individual consumer. A method to do this is 
for a ratings service at a central site to offer a service to 
advice providers that certifies advice as being in accord with 
certain publicly known privacy and security standards. 
Under existing Web protocols (sec Khare, Rohit, Digital 45 
Signature Label Architecture, The World Wide Web Journal, 
Vol. 2, Number 3, pp. 49-64, Oreilly (Summer 1997) 
hftp: //www. w3.org/DSIG) there is a method for the estab- 
lishment of URL ratings services, via a message block that 
can reliably certify that a certain ratings agency asserts that 50 
certain information resources have certain properties. The 
credibLhty of such assertions, i.e. that the advice is actually 
being certified by the service and not by an impostor, is 
based on deployment of standard authentication and encryp- 
tion devices. Applying this technology, a ratings service can 55 
be established at a central site, e.g. Better Advice Bureau.org 
as described below, to certify that certain advice operates in 
a fashion generally accepted as appropriate for the adver- 
tised task, is used in a manner to protect individual identity, 
and has generally benign effects. Advice authors seeking 60 
certification of the trustworthiness of their advice submit 
those advisories to the certification authority, which studies 
the messages and, at its option, agree to certifies some of 
those messages. Here certification means that, according to 
a well known standard, a special ratings block is appended 65 
to the message indicating that the message is asserted by the 
authority to have certain attributes. 
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In one embodiment of the invention, the consumer is 
offered the option of making integral use of one or more 
ratings services. This functions as follows: 
A ratings service uses a well known format, such as PICS 
(sec Khare, Rohit, Digital Signature Label Architecture^ 
The World Wide Web Journal, Vol. 2, Number 3, pp. 
49-64, Oreilly (Summer 1997) http://www.w3.org/ 
DSIG), for describing it ratings of resources such as 
advice sites and individual advisories. 
The ratings service publishes a list of descriptive key- 
words used in the ratings system, such as BAB- 
Privacy-Standards- Compliant or does not affect file 
system. 

The ratings service labels individual advisories using its 
own defined labeling system, inserting these labels into 
the advisories as ratings blocks according to a standard 
labeling format, such as PICS. 

The ratings service labels individual advice sites by 
attaching labels to site description files using its own 
defined labeUng system, inserting these labels into the 
site description files as ratings blocks according to a 
standard labeling format, such as PICS. 

The ratings blocks are interpreted and authenticated by an 
estabUshed cryptographic signature mechanism associ- 
ated with the service, and part of the ratings labeting 
standard. 

The user interface of the advice reader is extended to contain 
a new component, i,e. the certification manager. This 
component allows the user to permit advisories to be 
evaluated for relevance only when they have been cred- 
ibly certified by a trusted privacy ratings service as having 
properties with which the user is comfortable. For 
example, the user blocks advisories which are not certi- 
fied by Belter Advice Bureau as BAB-Privacy-Standards- 
Compliant, thereby obtaining a measure of confidence 
that advisories used in his system do not violate his 
privacy by revealing information to the outside world. 
The certification manager has two defined roles: 
Eliciting User Desires. The certification manager plays a 
role in initializing the certification process. It makes 
available to the user a list of potential ratings services 
among which the user can select. When a service is 
selected, the certification manager obtains from the 
ratings service URL a list of the defined ratings 
keywords, and allows the user to design a filter based 
on specifying that certain keywords or combinations of 
keywords must be present (or absent) for a message to 
be trusted. 

Enforcing Policy. The certification manager also has the 
responsibiUty to parse and validate the ratings associ- 
ated with individual messages, and block the evaluation 
of uncertified messages, or of certified messages not 
exhibiting the users desired attributes. 

Privileged Sites 
In one implementation, the advice reader is preconfigured 

with hardwired subscriptions to three privileged advice sites. 

These built-in subscriptions play a central role in ensuring 

the security of the invention; together they form an immune 

system. 

advisorics.com 

advisories.com is a Web and FTP site operated by the 
producer of the advice reader software. This allows users 
from all over the world to obtain information and updates 
about the system, about the advice reader, and any updates 
to the software or the invention's communication protocols. 

It is also a trusted site for the distribution of subscription 
information. Digitally authenticated site description files can 
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be found here for many of the major advice sites on the 
Internet. These site description files are signed with a digital 
signature mechanism that is automatically intelligible to 
every copy of the advice reader. This serves an important 
security function. As described in the section on security 5 
below, it is very important that there be a well known and 
bnistcd location that is the source for accurate information 
about starting a new subscription. By getting site description 
files from advisories.com, a user has a degree of confidence 
that he is getting accurate subscription information and is -^q 
not vulnerable to various security problems. 

It is also a site for the distribution of authoring 
information, in particular, coordination of certain authoring 
conventions. Two specific conventions have already been 
mentioned: Keyword Coordination. This concerns the way 35 
in which advisories are used by advice authors to disclose 
descriptions of potential effects of advice on the consumers 
computer or possessions or environment. A current listing of 
adopted keywords may be made available at advisories.com 
site. 20 

Coordination of User Profile Variables. This concerns a 
mechanism by which new variables may be added to the user 
profile by different advice providers. A current listing of 
adopted variables their formats and promulgators may be 
made available at advisories.com site. 25 
BetterAdviceBureau.org 

Better Advice Bureau.org is both a Web site and an advice 
site on the Internet, It is a site dedicated to the maintenance 
of the communications protocol as a civilized means of 
communication. 30 

The Better Advice Bureau.org Web site describes the 
principles of system operation, describes why the system is 
useful, and why it protects individual security and privacy. 
It describes known risks and recommended procedures for 
interacting with the system. It serves as a clearing house for 35 
user complaints about the operation of advisories, and as a 
place that consumers may come to for research about the 
experiences associated with an advisory that they are con- 
templating to apply. 

Th& Better Advice Bureau.org advice site is an advice site 40 
to which all advice readers subscribe. It issues what is 
referred to as meta-advice or counteradvice, in the form of 
advisories against bad advisories, or against bad sites. By 
this device, consiuners become aware of situations within 
the advice process whida are dangerous firom the standpoint 45 
of security or privacy, and they can then take corrective 
measures. 

It is also a site for the distribution of ratings information, 
in particular, publication of certain rating conventions, as 
described above. There are commonly accepted methods for 50 
rating resources on the Web according to criteria provided 
by a ratings service (see Khare, Rohit, Digital Signature 
Label Architecture, The World Wide Web Journal, Vol. 2, 
Number 3, pp. 49-64, Oreilly (Summer 1997) http:// 
www.w3.org^SIG). The Better Advice Bureau, in one 55 
implementation, functions as a certifier of the privacy and 
security and usefulness of individual advisories. In this role, 
the Better Advice Bureau rales individual advisories by 
including in them a certain special ratings block, according 
to a well known ratings format, such as PICS. The Better 
Advice Bureau also publishes at its Web site the information 
needed to interpret such ratings blocks, including: 

A list of descriptive keywords used in the ratings system, 
such as BAB-Privacy -Standards-Compliant or Does 
Not Affect file System. 55 

Public key information associated with the certification 
process. 
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UrgentAdvice.net 

UrgentAdviceNet serves to distribute advisories rapidly 
to all advisory cons\miers. It is used sparingly, to deal with 
urgent situations acutely affecting significant numbers of 
users. In one implementation, it has a high priority in 
synchronization, being synchronized every time any syn- 
chronization takes place. 
Other Application Areas 

In this document so far, the invention has been described 
in connection with the technical support application. The 
following is a partial list of other applications to which the 
invention may be put. 
Consolidator.com 

An Air Ticket consolidator purchases a block of 50 seats 
on a flight firom New York to London for August 20. The 
consolidator wants to resell those seats to travelers. The 
consolidator maintains a relationship with a variety of travel 
agents. 

The consolidator uses the invention to market its product 
more efficiently. The consolidator functions as advice 
provider, and authors an advisory whose relevance line 
asserts the existence of a consumer in the travel agency 
customer database who has reserved a ticket to go to from 
New York to London on that date, or near that date. The 
advice provider places the advisory at his advice site. 

Advice consumers, in this case the various travel agencies 
working with the ticket consolidator, have their representa- 
tive computers set to subscribe to the consolidators advice 
site. They also install a special inspector in their computer 
which searches the travel agency customer database for 
customers with certain travel plans. Advisories flow to their 
computers and are automatically inspected for relevance. 
Here relevance means a potential traveler who has plans to 
travel. The travel agent offers the traveler a ticket at the 
reduced price provided by the consolidator. The consolidator 
then makes a sale and the travel agent a commission. All 
participants win. 
CheapFlights.com 

A large airline frequently has last minute opporttmities for 
travel at bargain rates. The airhne wants to match the tickets 
to consumers with a continuing interest in last minute travel 
to certain cities. This airline can use the invention to market 
its product more efficiendy. The airline functions as advice 
provider and authors advisories whose relevance line asserts 
the existence, in the user profile, of an expressed desire to 
travel to a certain city. The advice provider places the 
advisory at his advice site. 

Advice consumers, in this case the potential travelers, 
have their representative computers set to subscribe to the 
airlines advice site. They add expressions of special interest 
to their user profiles indicating cities they are willing to fly 
to on short notice. Advisories flow to their computers and are 
automatically inspected for relevance. Here, relevance 
means a potential opportunity for a flight on short notice. 
Commodity.com 

The system above described works in many other com- 
mercial areas, e.g. one could build as a result, such sites as 
CheapConcerts.com and CheapHotelSuites.com working on 
similar principles. 

Extending this point, it is possible to run a new type of 
commodity market using the invention. In one model (see 
FIG. 18), there is a central site referred to as Commodity- 
.com that functions as the market maker. This is attractive in 
a setting currently handled by classified ads, where there are 
many individual offerors seeking a central marketplace. The 
process is as follows: 

Offeror submits to Commodity.com an advisory offering 
object for sale 180. 
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Commodity.com advice site staff edits and posts adviso- 
ries 181, 182. 
Users subscribe to Commodity.com 184. 
Subscribers input information about interests to user 

profile 189, 190. 
Relevant advisories concern objects meeting their inter- 
ests. The process proceeds are described above, where 
the advice reader gathers advisories from Comodity- 
.com 183. Relevance evaluation is performed 185 in 
accordance with a user profile 190, as inspected by a 
user profile inspector 186. The user view the relevant 
commodities 187 and acts on the information contained 
therein 188. 
BalanceTransfer.com 

In the world of financial services, there are many com- 
panies that attempt to market specific services to customers 
directly. These include credit cards with specially low rates 
on cash advances, particularly credit balance transfers firom 
competing financial instruments, and mortgage refinancing 
offers. 

The attempt to reach consumers is expensive and often 
difficult. Certain consumers, who might otherwise be inter- 
ested in the financial benefits of the service, do not allow 
telephone or mail contacts. Other consumers do not disclose 
sensitive information over the phone, which is typically 
required to participate. 

The following is an example of a financial services offer 
through use of the invention. This embodiment of the 
invention is described as a centralized system, although it 
easily could be a decentralized system. 

Offeror submits advisory to BalanceTransfer.com offering 
balance transfer to those with sufficient balances and 
incomes. 

BalanceTransfer.com advice site staff edits advisories and 
posts. 

User subscribes to BalanceTransfer.com. 

User fiUs out information about credit card balance, 

existing interest rate on balance, and income for User 

Profile. 

Advice reader uses remote connection to verify balance, 

preserving privacy. 
Relevant offers are those which benefit user. The advisory, 
if well written, uses the income data to test if the 
applicant is approved. Hence, relevant advisories have 
credit preapproved. 
There are many variations on this kind of advice. Home 
refinancing operates in substantially the same way. The 
advisory is written mentioning variables associated with the 
principal, current interest and term of an existing loan. An 
advisory is relevant if it provides a set of better terms than 
an existing loan. 

There is no reason why this service must be globally 
centralized. In a typical variation, individual mortgage bro- 
kers offer their own advice sites. 
BadPiIls.com 

The invention can be used for a variety of consumer 
product warnings recalls, and safety advisories. The follow- 
ing is one example. 

BadPills.com is a site where information is available 
about drug products and their interactions. The following 
describes is how the site operates to notify pharmacies about 
potentially damaging drug interactions in their customer 
base. 

The FDA and other organizations, e.g. phannaceutical 
manufacturers and consumer organizations, submit infor- 
mation about interactions and side effects of medications. 
Each advisory has the following form: 
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The relevance clause asserts the existence in the phar- 
macy database of customers with active prescriptions 
for drugs with a known potentially damaging interac- 
tion. 

5 The human readable content tells about the interaction, 
tells the pharmacist that he has such an interaction in 
his client base, and urges the pharmacist to correct the 
situation. 

Advice site collects submissions, edits and posts, 
jQ Pharmacy subscribes to the site. As part of subscription 
initiation, the pharmacy must install a standard pharmacy 
customer database inspector on its computer. This inspec- 
tor can check to see if any patients in the database have 
a certain prescription. 
j5 Pharmacy computer gathers advisories routinely. 

Relevance evaluation generates queries to pharmacy cus- 
tomer database inspector. 

Database inspector processes pharmacy database. 

Relevant messages are provided for dangerous drug combi- 
nations. 

There are many variations on this embodiment of the 
invention. A similar service for physicians is made available 
through a physician patient database inspector for those 
physicians who keep track of patient subscriptions on their 

25 office computers. A similar service for patients is made 
available through an individual health record database 
inspector for those Individuals who enter their own sub- 
scriptions in the user profile. One way to simplify this is to 
have an information exchange program, allowing a user to 

3Q remotely query the pharmacy database for information about 
himself. 

Group Anonymous Messaging 

Suppose there is a group G of individuals who wish to 
have an anonymous communication with a provider P. The 

35 individuals in G are widely distributed and do not know each 
other. There is a way to use invention to set up a site for 
two-way anonymous communication of this kind. 

Such communications are made widely available and are 
used by many persons. For the anonymity of the 

4Q participants, it is important that the system be used by many 
different persons from many different groups. 

The site is an anonymous posting advice site where any 
e-mail sent to a certain address has its identity stripped and 
is posted at the advice site. Such an advice site operates 

45 completely automatically. This site may be referred to as 
SecretFriends.org. 

This site may be used in conjunction with private-public 
key cryptosystems. Secure off-line refers to a system where 
an agent of G arranges with P for a conversation. The agent 

5Q delivers to P a public-key which is created for G for the 
purpose of conducting this discussion. This key is not 
actually public. It is a secret known only to G and to P. It is 
only referred to as a public key because it is the key which 
is commonly made public in standard applications of public- 

55 private key systems. The key is only delivered to P. 
Similarly, the agent returns a specially created public key 
from P to G. 

G and P exchange messages by the following process: 
Subscribing to SecretFricnds.org. 
(SO Authoring messages which are relevant only to those 
holding the decryption key they have released. 
Using anonymous remailers or other means to post to 

SecretFriends.org the encrypted messages. 
This approach provides anonymous communications as 
65 follows: A participant's advice reader synchronizes with 
SecretFriencls.org. Potentially, a great number of advisories, 
actually encrypted messages, are obtained. The only mes- 
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sages that are displayed by the advice reader are those that 
are actually decryptable using the indicated key. The others 
arc all jettisoned. The relevant advisory is then decrypted 
and read. 

This approach provides anonymity under the AEUP pro- s 
tocol because, assuming many different people are using 
SecretFriends.com, there are a great number of messages 
being placed there, and only a tiny fraction end up being of 
interest to a given reader. Because of the structure of AEUP, 
no one watching the process at the advice site can tell which lo 
messages turned out to be relevant to which user. 
Distribution of Sensitive Product Information 

A variant on the group anonymous messaging 
embodiment, in a specific setting, is provided as an infor- 
mation service for consumers of products who do not want 15 
it known that they iise the indicated product. For example, 
users of antipsychotic medication or those undergoing can- 
cer treatment. 

Users of the sensitive product are given a numerical code 
with the purchase of the product which serves as the (secret) 20 
public key. The users then subscribe to a certain advice site, 
arranged in advance, which is, for example, 
SecretFriends.org, or an indiistrywide consortium site, for 
example Druginfo.org. The users indicate in their subscrip- 
tion the (secret) public key. The advice reader periodically 25 
synchronizes with the site, and brings in advisories, some of 
which may concern the product. The others do not concern 
the product. Only the advisories associated with the specific 
medication pass the digital signature test and become rel- 
evant. 30 
Security Issues 

When the invention disclosed herein is implemented as 
described above and deployed in the technical support 
application, it may be operating in a security and privacy 
critical setting. The implemented system is then typically 35 
interacting automatically with the Internet, and obtaining 
and using resources from remote computers without direct 
human oversight. These resources remain resident on the 
consumer computer, typically over an extended period of 
time, being evaluated periodically for relevance. When 40 
relevant advisories are identified, the advice reader displays 
to the human consumer the explanatory content of the 
relevant advisory. This explanatory content may propose to 
the consumer actions which may have effects on the 
computer, on attached devices, or elsewhere. If the con- 45 
sumer gives approval, these actions typically are then carried 
out automaticaQy. 

In short, the advice reader introduces into the consumer 
computer documents that are processed automatically and 
that after processing may propose to the user potentially 50 
permanent modifications to the computer or its environment. 
The consensus opinion of networking professionals (see 
Anonymous (1997) Maximum Security, Sams.net 
Publishing, Indianapolis; Oaks, S. (1998), Java Security, 
Oreilly, Sebastopol, C A; and Baker, R. H. (1995) Network 55 
Security, McGraw-Hill, New York) is that unsupervised 
interaction with the Internet poses serious risks. In fact the 
invention, in its standard mode of operation, does not expose 
the advice consumer or advice provider to risks greater than 
the baseline risks involved in typical usage of e-mail, 60 
browsers, and related Internet tools. Those modes of Internet 
interaction are currently considered acceptable risks. The 
invention, in a typical mode of operation, offers lower risk. 
Preliminary Comments 

TWo fundamental points are of interest. $5 

Thisted sites. The concept of trust is discussed above. 
Users should only subscribe to advice sites that are 
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known to them to provide trustworthy advice. In fact, 
consumers typically configure their advice reader to 
subscribe mainly to advice from large concerns which 
manxifacture goods and services of interest to the 
consumer such as, for example, a computer 
manufacturer, a software publisher, or the provider of 
Internet service. Subscription to substantial organiza- 
tions of this type is a reasonably secure practice. Such 
organizations have an interest in providing trustworthy 
advice so that they maintain rapport with their con- 
sumers. It is anticipated that very few risks are posed to 
advice consumers who subscribe to advice authored by 
such concerns. 
Better Advice Bureau. The Better Advice Burcau.org, 
which is described above, is a fundamental tool for 
ensuring the security of invention users. All invention 
users subscribe to this site. This site compiles counter 
advice, informing users about dangerous sites and 
about bad advice which is circulating. The Better 
Advice Bureau functions in some respects as an 
immune system for the invention, allowing the correc- 
tion of dangerous situations. UrgentAdviceNet is 
another site to which all users subscribe. It provides a 
special mechanism for delivering very urgent counter 
advice to the consumer population. 

Absence of High Profile Risk 

The following discussion of security considers some of 

the more well known risks of Intemet interaction and then 

explains why these weU known risks actually do not arise 

under the invention when used in a typical implementation. 

Inventory of High Profile Risks 

Intemet operations have in the past suffered a number of 

active threats that can be symboUzed by three figures who 

have captured the popular imagination: 

Break-ins: Kevin Mitnick. Over a period of years Mitnick 
used the Internet systematically to break into computers 
worldwide, and he managed deliberately to cause some 
to crash or to lose data permanently. While it is sup- 
posed that Mitnick was some sort of evil genius the 
truth is that sites on the Internet give instructions on 
how to break into Pentagon computers. A Pentagon led 
experiment in 1997 showed that using publicly avail- 
able information one could, in fact, access classified 
DOD computers and cause permanent damage to files. 

Attacks. The Internet currently makes software tools 
available for free which allow their users to attack other 
peoples computers over the Intemet, causing those 
computers to crash. The basic strategy is to connect to 
various TCP/IP port servers on the intended victim 
computer and flood it with requests for service. 
(Anonymous, Maximum Security, Sams .Net 199) 

Worms: Robert Morris, Jr. In a well-known 1988 episode, 
Morris released a worm which spread rapidly across the 
Intemet, installing itself in many machines, and while 
in execution on those machines, spread itself to other 
machines. In fact, Morris was attempting no more than 
a prank. The rapid and pervasive spread of the worm 
surprised him, as did the enormous amount of lime 
required to eradicate the worm and regain full capa- 
bilities of the affected computers. The powerfully dis- 
ruptive nature of the worm was ca\iscd by its ability to 
spread automatically, and run automatically on what- 
ever machine it reached. This case dramatizes the risks 
that can arise through the automatic spreading of 
executable code across the Internet. (Pfleeger, Security 
in computing, Prentice Hall 1996) 
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Absence of Consumer Exposure to High-Profile Risk 

The advice reader does not expose the consumer to 
additional risk from these high profile sources beyond the 
baseline risk he suffers now. 

The advice reader is not vulnerable to break-in because it 5 
docs not offer any kind of interactive shell offering log-in 
access, as the term break-in requires. 

The advice reader does not expose the consumer com- 
puter to any extra risk of attack beyond the risk the consumer 
already faces due to Internet connectivity. lO 

The advice reader adds no risk because it does not make 
available any perpetually open TCP/IP port which can be 
flooded with requests. There is nothing the outside world can 
do to try to talk to or initiate an interaction with the advice 
reader. 15 

The advice reader does not expose the network to any 
risks of womis. In a typical configuration, the system does 
not offer any mechanism by which anything can spread firom 
advice reader to advice reader. 

Server Exposure 20 

Consider the vulnerability of the invention server to active 
threats. A server using the invention, as with any Internet- 
based server, exists for the purpose of offering services to the 
outside world. It is visible on the Internet and open for 
business, typically around the clock, 25 

Hiere is no risk of break-in, because there is no interactive 
shell offering log-in access, as the term break-in implies. 
However, the server can be flooded with requests as with any 
Internet server. There are well known techniques to combat 
such request floods, and professional Web site operators 30 
know about them. The server side tisers of the invention are 
professionals who are well equipped to evaluate and react to 
this type of standard threat. 

The invention's server does not expose the server to any 
risks of worms. In a typical configuration, the system does 35 
not offer any mechanism by which anything can spread from 
advice reader to advice server, or by which anything other 
than an extremely narrow range of functions can be per- 
formed by the server. 

Protective Influence 40 

There is a certain sense in which the invention actually 
can help protect against worms, break-ins, and attacks. The 
advice delivery mechanism allows network security person- 
nel to create advisories warning the consumer when the 
consumer is behaving in a way that leaves the door open to 45 
criminal disruption. The advice delivery mechanism also 
aUows network security personnel to author advisories 
which diagnose whether a user is currently being attacked, 
or has been recently attacked. In this way, the invention 
functions as an immune system, allowing the rapid spread of 50 
corrective advice. 
Spoofing Risks 

In effect, the invention interaction is never completely 
unsupervised. The advice reader only interacts with advice 
sites that have been subscribed to by the user The user is 55 
therefore, in his choice of subscriptions, exerting a kind of 
permanent high level supervision. If the user subscribes only 
to sites offered by organizations with a strong incentive to 
provide trustworthy advice, he is proteaed. An individual 
making harmful advice does not legally have a way to force 60 
the introduction of that advice into any given advice reader. 

There is a very important category of active threat which 
is not widely known, i.e. attack by spoofing. In this category 
falls spoofing of Internet locations, i.e. the user thinks he is 
communicating with a certain trusted site, but actuaUy is 65 
communicating with an impostor site. Another kind of 
spoofing is the use of mole programs which appear to be 
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Standard applications but which actually are not, and can 
violate privacy and security in other ways. (Anonymous, 
Maximum Security, Sams.Net 1997) 
DNS Spoofing 

In this scenario, an impostor creates a near clone of a 
popular and trusted site, such as the site of MicroComp. 
However, the impostor site also contains harmful advice. 

DNS spoofing provides a way for the impostor site to 
appear to certain users on the network as if it were actually 
the popular and trusted site of MicroComp. The only way 
this could happen utnder current network protocols is for the 
impostor to interfere with the DNS lookup process of certain 
consumers, and misdirect certain consumer advice requests 
aimed for MicroComp. 

DNS spoofing operates as follows: The impostor must 
have system level access to a machine on the Internet which 
is physically located in a position to intercept some of the 
domain name resolution requests intended for a certain 
Domain Name Server (DNS). The impostor programs the IP 
routing logic to inspect the intercepted requests looking for 
those which refer to MicroComp and, when such a request 
is found, to return an incorrect TCP/IP address, the returned 
address referring to his fake advice site. All advice readers 
situated downstream from the impostor are in this way 
misdirected to the fake advice site whenever they try to go 
to the MicroComp advice site. The fake site appears just like 
a real site, but distributes harmful advice under the pretense 
of being a trusted provider. In short, by perpetrating DNS 
fraud, there is a way for an attacker to introduce damaging 
advice directly into one or many computers. 

This sort of activity constitutes criminal fraud under 
current federal regulations. This type of fraud is reportedly 
rare (see Anonymous (1997) Maximum Security, Sams.net 
Publishing, Indianapolis. In addition, a perpetrator able to 
carry off this type of fraud might find systems using the 
invention to be less attractive than other targets. For 
example, DNS spoofing of large electronic commerce sites 
such as bookstores and computer software warehouses is 
more attractive to the perpetrator, in the sense of offering a 
more rewarding payoff if the spoof is successful. Indeed, the 
perpetrator could offer a Web site pretending to be the Web 
site of a certain merchant, offering up Web pages with the 
same general visual appearance as Web pages from the 
correct site. The fake Web site contains forms which the user 
fills out to execute the transaction. In reality, those forms are 
used to capture information about credit card numbers or 
other sensitive financial data. This seems a more direct way 
for a perpetrator to benefit from a DNS spoofing scheme. 

This sort of activity affects only a subset of the users of 
a large public network such as the Internet, For example, 
assuming that an individual consumer enjoys a secure con- 
nection to a DNS server, and assuming also that the infor- 
mation on the DNS is maintained securely, DNS spoofing is 
not a material threat for that particular consumer. In most 
moderately large corporate environments, DNS services are 
provided within the corporate intranet. Assuming that the 
impostor is outside the corporation, then for advice consum- 
ers within the corporation, this spoofing threat is stymied by 
the standard security devices for intranets, i.e. firewalls. 
Certain noncorporate advice consumers enjoy Internet 
access through Internet service providers offering DNS 
servers located on the Internet in close physical proximity to 
their modem banks. Assuming that the impostor is not inside 
the physical domain of the Internet service provider's 
offices, consumers who use such DNS services may also be 
secure against DNS spoofing. 

In effect, spoofing is only a threat for advice readers 
relying on insecure connections to their DNS. In future 
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network protocols, DNS connectioDS may be digitally available data (see C. Pfleeger, Security in Computing, 

authenticated, and the spoofing threat is stymied in such Second Edition, Prentice-Hall(1996); and PGP 4.0 Users 

settings as well. Until that time, the invention has a way to Manual, PGP Pretty Good Privacy, Inc. (1997)). It is an 

stymie this threat imdcr the current regime using digital equivalent computational task to the task of factoring an 

authentication of advice itself. Digital authentication of 5 integer with hundreds or thotisands of digits into its prime 

advice is also of interest to those consumers with secure factors. Using networks of many thousands of computer 

DNS connections because advice may be distributed, in workstations over periods of many months, it has been 

some implementations, by insecure means such as e-mail or Possible to factor individual numbers with about 150-200 

sneakemet. It gives the user additional confidence in the However, this has been achieved only by a kind of 

advice he is receiving lo scientific collaborative enterprise. It is unlikely that an 

In a typical implementation of invention, the term digital impostor has access to the required resources for mounting 

authentication refers to the use of existing digital signature ^ ^^^^^ succeed on integers of the lengths 

mechanisms based on so called pubUokey/private-key pairs commonly used m signature algorithms. Moreover, there is 

(see PGP 4.0 Users Manual, PGP Pretty Good Privacy, Inc. ^ ^^^y remedy, i.e. double the number of digits of the keys, 

(1997)). This mechanism is developing into a well 15 P^^^^S factorization task beyond reach of any currently 

understood, mature, and reliable standard. Other forms of conceivable collaborative effort based on currently conceiv- 

digital authentication can be used with equal validity. ^^^^ computational resources. 

The following describes how the public-private key pair short, an impostor is highly unUkely to be able to author 

mechanism is used to authenticate advice. The advice advice with a digital signature which is intelligible using the 

provider, e.g. MicroComp, acquires a pubUc-key/private- 20 correct MicroComp public key. Unless the impostor can do 

key pair, of which the private key is a secret known only to t^^^, the advice reader refuses to evaluate the advice for 

the provider. The provider takes steps, described below, to relevance, and so the impostors advice poses no substantial 

publicize the correct public key. The provider, knowing both threat, 

keys of the pair, attaches to each advisory a signature block Spoofing 

which is successfully interpreted by an advice reader which 25 ^ apparent hole in the digital authentication system is 
knows the correct pubUc key. The ability to interpret the ^« possibility of key spoofing. In this scenano, the con- 
block is considered by the advice reader proof that the author s™"'^ advice reader has somehow accepted an incon-ect 
knew both keys, which is considered proof that the author is P^^Hc key for MicroComp, i.e. a key which is not the correct 
in fact MicroComp. In a typical implementation, a user MicroComp, but is instead the public key of a 
interface component informs the user that a given piece of 30 pubUc-key/private-kcy pair owned by the mipostor. If this 
adviceissignedby MicroComp. The precise meaning of this happens, then the advice reader can be deceived because it 
is that the signature block is successfully interpreted by recognizes the impostor's advice as valid. However, the 
using the known public key. invention is designed to prevent this scenario from occur- 

The invention's mechanism for protection from the DNS "^S- , , . . 

spoofing threat involves actions by both the consumer and 35 P^r key spoofing to occur, the consumer s subscription 

the provider. The provider authors a site description file, ^^^^^ ^e initiated using a site description file that is not 

containing a listing of the information related to the obtained through secure channels, such as the origmal 

subscription, including the site's location and the site's ^oftwut installation from physical media. The impostor 

digital signature pubUc key. Tlie provider publishes the site "i^^^ ^^t^^r descnption files and distnbute these on 

description file, for example in physical media such as a disk 40 ^® Internet. 

or CD-ROM, as part of the distribution of a software product ^ typical implementation of invention cannot be fooled 

offered by MicroComp. In this way, many consumers obtain ^Voohng, There are three mechanisms for this, any 

copies of the site description file by secure means. A combmation of which may be effective: 

consumer initializing a subscription to MicroComp presents Certification of site description files. In one 

to the advice reader's subscription manager the site descrip- 45 implementation, site description files may include a 

tion file for MicroComp. The provider, whenever authoring <^gital signature by a central authority, the Better 

an advisory, attaches a digital signature block. The advice Advice Bureau, testifying that the site description file 

reader, whenever obtaining a piece of advice, checks that the purporting to be authored by MicroComp is, in fact, so 

digital signature is successfully interpreted using the public authored. The digital signature of Better Advice Bureau 

key known to the reader to correspond to MicroComp. 50 ^ hard wired into the advice reader, thereby avoiding 

Unless the advisory passes this test, the advice reader refuses the possibiUty of spoofing the Better Advice Bureau 

to evaluate the advice for relevance. The reader may also certification. 

notify the user that there is unsigned advice coming from a Spoof-Proof Key Verification. A typical implementation 
site whose site description file claims that the site provides of the subscription manager performs key verification 
only signed advice. The reader also offers to inform Better 55 prior to recording a subscription. It contains hard wired 
Advice Bureau of this fact. information enabling it to make a direct TCP/IP con- 
To see why this approach protects against DNS spoofing, nection to a hard wired IP address of a key authenti- 
it is important to understand a basic feature of the public- cation server. Such a server verifies that a given orga- 
key/private-key system. It is commonly accepted that an nizations public key is as it is said to be. Because the 
impostor faces a very difiScult time trying to fake the digital 60 contact address of the server is hard wired into the 
signature of MicroComp. Com. This conclusion rests on the program, access to the key server cannot be DNS 
assumption that the impostor must make a successful fake spoofed. 

signature using only the publicly available information Counter-advice. If a certain site is successfully spoofed, it 

associated with the encryption scheme; i.e, that the impostor may submit to Better Advice Bureau.org an advisory 

does not have access directly to MicroComp. Com 's private 65 which goes out to all advice readers because Better 

key. It is computationally an extremely difScuIt task for an Advice Bureau.org is a built-in subscription. The advi- 

impostor to fake a digital signature correctly from publicly sory asserts the value of the correct public key associ- 
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ated with the site. Those users with incorrect public 
keys are notified with the relevant advisory, which 
explains the risks involved. If the issue is particularly 
urgent, the site UrgeatAdviceNet is employed. 
In summary, if the advice reader and its subscriptions are 
appropriately configured, the advice consumer is protected 
from spoofing when the advice provider digitally signs his 
advisories. 

Reduction of Spoofing Threats 

DNS Spoofing, while a significant threat to Internet 
security, is not more of a threat to the invention than to other 
components of the Internet, especially c-commerce. The 
Better Advice Bureau.org and UrgentAdviceNet are impor- 
tant devices to help suppress spoofing of advice. 

Better Advice Bureau, org and UrgentAdviceNet are 
important devices to help suppress spoofing of all Internet 
activities. By the use of this combination, the Internets 
susceptibility to spoofing may be reduced, and the attrac- 
tiveness of spoofing in other settings, outside of invention 
are reduced. 
Advice Reader Moles 

Another potential hole in the invention's secxirity system 
is the possibility that a copy of the executable binary of a 
legitimate advice reader is acquired by an attacker, and then 
is systematically altered to introduce various new behaviors. 

The resultant illegitimate reader is then redistributed on 
the Internet, where it masquerades as a legitimate copy of 
the advice reader, and is downloaded and used by unsus- 
pecting consumers. Nothing can stop the creation of such 
illegitimate readers. Nothing can stop illegitimate versions 
of a software tool from displaying very damaging behavior. 
This is well understood by the community of Internet users 
worldwide. Anyone who downloads software over the Inter- 
net from sites which are not authentic providers of trusted 
software exposes himself to the same risk, whether the 
software is a word processor, a spreadsheet, a Web browser, 
or the advice reader. 

However, of concern is the possibility of illegitimate mole 
readers whose goal is not to cause damage but to compro- 
mise the security and privacy of the user. Such mole readers 
contain subtle features escaping detection by casual obser- 
vation but allowing for subtle effects on the user's environ- 
ment or for the gathering and forwarding of important 
information about the tiser. Again, the invention is no more 
vulnerable to this kind of modification than any other piece 
of software. However, the typical implementation of the 
invention contains two mechanisms which can identify the 
existence of mole software and help correct the situation. 
Server- Challenge, This is implemented as part of the 
invention server- reader interaction protocol. A typical 
implementation of the server begins its transaction with 
an advice reader through a handshaking session, in 
which the server challenges the reader to prove that it 
is a valid version of an advice reader. In a typical 
implementation, the advice reader is written to create 
certain data blocks with known properties dynamically 
in memory at known location oflkets from the begin- 
ning of the program. The method by which the data was 
created and the purpose of the creation are guarded 
secrets. The server selects random blocks of this data 
and asks the reader for the correct digital digest asso- 
ciated with such a block. If the program is altered, it is 
difficult for the executable code to answer the challenge 
correcdy. If the server receives an imsatisfactory 
answer, the server then transmits advice to the reader 
which is automatically relevant, stating that the user's 
advice reader appears illegitimate. The advice reader 
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may also refuse to interact with servers that do not pass 
a digital authentication test. 
Advice -Challenge. The invention, at Better Advice 
Burcau.org, offers advice whose intent is to verify that 
5 a valid configuration of the invention is installed. The 
advice, which may change daily, asserts that certain 
blocks of the data in the CPU memory while the advice 
reader is running have certain digital digests. The 
blocks are chosen randomly by the Better Advice 
10 Burcau.org authority, or according to design, when a 
certain well known mole is to be diagnosed from a 
specific motif in the binary data at a specific location. 
In summary, invention diagnoses moles and notifies users 
about them. 
15 Reduction of Mole TTireats 

Moles, while a potential threat to Internet security and 
privacy, are not more of a threat to the invention than to 
other components of the Internet, especially e-commerce. 
Better Advice Burcau.org and UrgentAdviceNet arc impor- 
20 tant devices to help suppress spoofing. The same remark 
applies to moles. Better Advice Bureau.org and UrgentAd- 
viceNet are important devices to help suppress mole appli- 
cations uniformly. By the use of these devices, the Internet's 
susceptibility to mole activities may be reduced, and the 
25 attractiveness of mole activities in other settings, outside of 
invention is reduced. 
Irreducible Core Risks 

A threat is caused by defective advice offered in good 
faith by usually trustworthy authors. Advice authors have 
30 reputation incentives which tend to make them want to 
provide good advice. Advice providers in one core 
application, e.g. technical support, are part of sophisticated 
organizations which have the ability to do things in a 
disciplined way. They understand that advice should be 
35 tested for safety and effectiveness and be released in a 
deliberate, staged manner. Because of this, it is likely that 
very few pieces of advice in the technical support applica- 
tions area are defective. Nevertheless, there are occasional 
problems with advice authored by typically trustworthy 
40 providers. 

The risks posed by advice are of two kinds: 
First, there are the risks posed by advice gathering and 
evaluation. 

Second, there are risks posed by the solution process, i,e, 
45 by the users response to a relevant advisory which offers the 
user a solution to a problem. This second type of risk is by 
far the more serious one. When the user agrees to a solution, 
he is allowing powerfiil actions with potentially permanent 
consequences. The advice reader is not able to provide any 
50 kind of protection against the effects of applying flawed or 
malicious solutions. Instead, the burden of security must fall 
on the user, who should always limit subscriptions to well 
known, trusted sites, and should always carefully check the 
explanation and the authenticity of authorship before aocept- 
55 ing a solution proposed by an advisory. In its typical 
configuration, invention does not automatically apply solu- 
tion operators, precisely because of the need for user super- 
vision. 

As for the first kind of risk, that from gathering and 
60 evaluation, the invention is specially designed to limit risk. 
It is true that the invention is typically used in a mode of 
automatic unattended operation. In this mode, advisories are 
gathered from external advice sites without user intervention 
and arc automatically evaluated for relevance without user 
65 intervention. As mentioned earlier, the consensus of Internet 
experts is that automatic unattended operation over the 
Internet poses serious risks. 
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However, the invention does not download arbitrary computer and its environment. Relevance evaluation is a 

resources, nor does it evaluate arbitrary executable code. Its process of determining whether this state holds or not. This 

design imposes constraints on what information can flow description of the state uses a language that does not exhibit 

into the computer automatically, and on what effects auto- traditional control structures, such as loops, nor does it have 

matic evaluation can have. These constraints are specifically 5 traditional storage allocation facilities, 

imposed to avoid the known risks of unattended operation, f^ct, the relevance language is so tightly constrained 

In Its typical configuration, the mvention does not auto- ^jat it is not Turing-complete. It does not suffer from the 

matically apply solution operators, even when performing f^^^^ j^^^ ^^^^ problem, which is a typical properly 

automatic unattended operation. In that typical procedural languages. The Turing halting problem is to 

configuration, the effects of automatic unattended operation decide whether a given computer program ever halts or not. 

on the system are not direct effects, i.e. the advice reader ^^^^ procedural languages are undeddable. They contain 

does not enable modify access to a specific piece of the programs, perhaps even simple ones, for which it can never 

system cnviromnent. The effects arc instead indirect, Lc. j^^wn in advance whether the program must always halt, 

side effects of consuming too many resources during the jj^^a and TCL programs can be undeddable. In stark 

downloading and evaluation of advice. The side effects to be ^5 contrast, statements expressible in the relevance language 

concerned with are of three types: ^re decidable, i.e. they halt. This is an additional level of 

(a) Advice gathering might monopolize all network band- security that goes well beyond the security guarantees of 

mobile code languages, such as Java and TCL. 

(b) Advice gathering might fill up the local storage device. Human Intelligibility 

(c) Relevance evaluation might consume all CPU cycles. 20 An additional security feature of the invention is the 
Problems (a) and (b) are solved by resource rationing. The human intelligibility of the relevance language. The rel- 

information that can flow into the computer consists of evance language has an appearance which is reminiscent of 

ASCII text files. By imposing resource quotas at download ordinary English. A consumer who reads English can form 

time, the system protects against the possibiUty that overly an approximate sense of what a given piece of advice is 

many network resources are used and protects against the 25 doing by inspecting the plain text of the advisory. In this 

possibility that overly big files are downloaded into the way, consumers are brought into the process of understand- 

machine, exhausting the capacity of the processor or storage ing the advisories sent to them. While it is true that untrust- 

device. Problem (c) is also partly solved by resource ration- worthy advice providers, by writing opaque relevance 

ing. By metering CPU usage and imposing resource quotas, clauses, may still be able to disguise their intentions, the 

the invention can address the problem. 30 more important point is that trustworthy advice providers are 

Security Support in the Invention able to make their intentions clear to consumers, and thereby 

The invention is designed to support security habits in gain and cultivate trust, 

several ways. Disclosure and Labeling 

Language Structure The invention offers, in one implementation, a mechanism 

The relevance language is an example of mobUe code. 35 to encourage advice providers to label their advisories 

Such code is written by an author on one computer for clearly for intended effects and thereby provide the public an 

interpretation on another computer. Recently, there has been accurate understanding of the risks associated with a given 

considerable interest in the development of safe languages solution operators. 

for mobile coding (see S. Oaks, Java Security, Oreilly In this implementation, the Better Advice Bureau defines 

(1998); and N. Borenstein, Email with a mind of its own: 40 and maintains a Ust of special labels which indicate the 

The Safe -TCL Language for Enabled mail, http:// effects of a certain solution operator, for example, the 

minsky.med.\^rginia,edu;80/sdm7g/Projects/Pylhoii/safe- subsystems affected, the extent to which effects are 

tcl/). Java and Safe-TCL are examples of so called safe reversible, and the availability of further documentation 

languages, i.e. they are considered to provide a degree of explaining the proposed change. The advice provider uses 

safety that traditional languages such as C and C++ cannot 45 this labeling system to describe the effects of the advisories 

offer. published by the provider. The advice reader uses this 

The relevance language is a language for mobile coding. labeling mechanism as part of its user interface during the 

The language offers a level of security protection in excess solution proposal process. When a consumer is contemplat- 

of the current norm of the Internet business community. ing applying a solution operator, part of the user interface 

Relevance Language interpretation is inherently safer than 50 indicates for the consumer the types of side effects which 

safe languages for mobile code, such as Java and TCL Java, may result, according to the labeling which the provider has 

TCL, and related languages are procedural languages. They supplied, 

contain control features such as loops, recursion, and Both consumers and providers, under the guidance of a 
branching statements which, if abused, can consume large central classification, come to have a common way to 
fractions of system CPU resources. They offer authors 55 understand and discuss the potential effects of a system 
storage allocation facilities which, if abused, can potentially modification. The Better Advice Bureau issues counter advi- 
consume large fractions of system memory resources. sories against advisories which inaccurately label the effects 
Remote unattended operation of code from these languages of their advisories. The advice reader uses distinctive visual 
obtained over the Internet can in fact be dangerous, despite identifiers to call attention to advice with extreme effects and 
the labehng as safe. In fact, these mobile code languages are 60 to call attention to advice with no labeled effects. The 
typically only used in attended operation. For example, consumer may refuse to approve proposed solution opera- 
mobile Java code is typically used in Web browsers, with a tors which are unlabelled, or to subscribe to sites which 
human watching the screen as the code runs. It is implidtly author unlabelled operators, 
understood that the human is supervising the execution of Security Summary 

the process. 65 There are several illegal activities that threaten the secu- 

The relevance language is a descriptive language rather rity of the consumer. However, in every instance, the system 

than a procedural language. It describes a state of the has been designed with an effective means of defense. The 
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invention does not expose the user to levels of risk in excess 
of those risks already experienced through the use of e-mail 
and Web browsing. In fact, the risks from invention are far 
lower than the risks of those standard activities. 

There is also the possibility that otherwise trustworthy 5 
advice authors release damaging advice. The system is 
designed to contain and correct such situations. The extent 
of damage due to honest mistakes is contained because 
advice has access to only a limited complement of system 
resources, e.g. disk storage and CPU time, and the use of lo 
these resources is metered and rationed in a typical imple- 
mentation. The structure of advice files and the associated 
relevance language is relatively transparent to consumers, 
which helps them play a role in fostering their own security. 
Finally, through the advisory process, through Better Advice 15 
Bureau and UrgentAdviceNet, the invention contains 
medianisms to correct security problems automatically as 
they arise. 
Privacy Issues 

The advice reader accesses a great deal of information 20 
about the consimier's computer, about the contents of the 
files on the consumer's computer, and about the interactions 
of that computer with devices in the immediate environ- 
ment. To the extent that the consumer stores information 
about his financial, personal, or medical affairs on the 25 
computer, typical implementations of the advice reader are 
able to access that information, for example bank balances 
and prescription drug information. To the extent that the 
consumer computer has access to network devices which 
form part of the consumer's home or work environment, the 30 
advice reader is able to access information about that 
environment, for example whether certain devices arc 
present in the environment, whether they are operating, and 
what their conditions of operation arc. Enabling the inven- 
tion to access this information is beneficial to the consumer, 35 
allowing helpful advice to be written which can identify 
problematic situations and call them to the attention of the 
consumer. 

Much of the information that invention has access to is 
potentially sensitive, and most consumers would not know- 40 
ingly permit such data to be divulged to strangers. Any 
system which can access such sensitive information must 
also protect the information. As explained below, the advice 
reader acts to preserve the privacy of the consumer. 
Existing Internet Privacy Standards 45 

The invention is designed to protect user privacy, offering 
a level of protection far in excess of the current norm of the 
Internet business community. 

Internet mediated activities, such as Web browsing and 
on-line commerce, can result in the disclosure to Web 50 
servers of information about the browsing consumer's 
identity, computer configuration, and also certain items 
about consimier shopping or browsing interests. There is no 
single accepted standard of privacy, and industry groups 
have formed for the purpose of gathering information about 55 
consumers from their Web interactions and sharing among 
themselves information about the consumers. Consumer 
oriented groups such as EPIC (Electronic Privacy informa- 
tion Center) have formed in response, and there are currently 
poHtical battles over the consumer's right to electronic 60 
privacy. 

The invention offers a method which meets or exceeds the 
level of information privacy desired by consumer groups, 
while providing the fine grained targeting of messages to 
recipients desired by industry groups. 65 

The standard that the invention offers is understood by 
considering a classification of privacy respecting/ 
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threatening behaviors. The ethical standards of advice pro- 
viders are classified into four categories, definitions of 
which are provided below. 

(Ea) Completely Ethical 

(Eb) Merely Ethical 

(Ec) Merely Legal 

(Ed) Criminal 

Completely ethical behavior of an information provider is 

defined as full respect of consumer privacy and of the 

intended purpose of the invention communications protocol. 

A completely ethical provider would . . . 

never seek to perform covert identification or surveillance of 
a consumer community. In particular, it would: 
make no efforts to infer from server activity the identity 

or attributes of any consumer, 
make no efforts to infer from network activity the 
attributes of any consumer, and 

make no efforts to use the Internet as a pure broadcast 
advertising medium, creating messages which make uaso- 
licited contact with all or a very large number of con- 
sumers passively receiving messages. 

fiilly disclose to consumers the existence and purpose of 
data gathering efforts; 

make no efforts to use information so received in ways 
unrelated to the disclosed purpose of the information 
gathering effort; 

make no efforts to use information gathered from such a 
questionnaire to correlate with future server or network 
activity. 

Completely ethical behavior is a standard much higher 
than that obeyed by many actors in the current Internet 
business community. The Internet business community at 
the moment contains a wide range of attitudes and behaviors 
towards consumer privacy. There are many instances of 
behavior that can be classified as merely ethical, or merely 
legal. 

Merely ethical means that the behavior of inferring user 
identity or attributes from Internet activity, while providing 
some sort of notice that privacy compromises are taking 
place, respects the provider-consumer relationship by not 
using the information to initiate unwanted contacts with 
consumers and not sharing the information with other busi- 
nesses. In effect, merely ethical behavior restricts the use of 
information gathering to intemal research and planning 
ptuposes, in much the same way that ethical companies 
currently use information gathered from product registration 
cards. 

Merely legal means that the behavior of inferring user 
identity or attributes from Internet activity, provides only 
minimal notice that some sort of privacy compromise is 
taking place, and then subsequently makes maximum 
exploitation of the gathered information under current laws, 
which includes systematically sharing the information with 
other businesses and initiating unwanted contacts with con- 
sumers. The standard of many Internet based information 
gathering efforts is at precisely the level of merely legal. 
Companies which arc collecting information about the con- 
sumer rely on the Web browser to notify the user that an 
insecure process is taking place. They do not make any 
separate notice of their own, explaining what information is 
being gathered or how it is used. 
Privacy Protection 

The invention does not allow unsolicited interactions with 
the outside world. In routine operation, the invention has 
interactions only with the advice servers to the user has 
subscribed. Assuming that security problems, such as spoof- 
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ing and moles are not an issue, the risk of compromising 
privacy is therefore focused on the interaction between 
consumer and trusted advice provider. As described below, 
the invention's communicalions protocol divides the advi- 
sory communications process into the following stages: 5 
(ACP-a) Subscription. The consumer anonymously ini- 
tiates a subscription. 
(ACP-b) Gathering. The consumer's advice reader anony- 
mously gathers advice from the site. 
(ACP-c) Evaluation. The consumer's advice reader evalu- 10 

ates advice for relevance. 
(ACP-d) Explanation. The consumer's advice reader dis- 
plays a document authored by the advice provider, 
explaining why a certain advisory is relevant, and 
proposing a solution/response. 15 
(ACP-e) Solution/Response. The consumer evaluates the 
document and, potentially, accepts the proposed 
solution/response, potentially interacting with the 
world as a result. 
The invention, operating with the AEUP communications 20 
protocol, makes steps (ACP-a)-(ACP-d) completely private 
and localizes the information sharing potential to step (ACP- 
e). 

Operationally, a completely ethical advice provider never 
seeks to violate the privacy protection of steps (ACP-a)- 25 
(ACP-d) of the protocol. In particular, a completely ethical 
provider never seeks to perform covert identification or 
surveillance of a consumer community using the invention. 
There are no efforts to infer from server activity the identity 
or attributes of any user. There are no efforts to develop tools 30 
to infer from network activity the attributes of any user. 
There are no efforts to use the invention as a pure broadcast 
advertising medium, creating advisories which make unso- 
licited contact with all or a very large number of consumers. 
Any efforts to use the invention to gather information from 35 
consumers arc based on a questionnaire process at solution 
time (ACP-e) and come with full prior disclosure to the 
consumer at explanation time (ACP-d), in easily understand- 
able terms, of the types of information being gathered, of the 
purposes for which they are being gathered. There are no 40 
efforts to use information so received in ways unrelated to 
the disclosed purpose of the information gathering effort. 
There are no efforts to use information gathered from such 
a questionnaire to correlate with future server activity. 

In one typical implementation, the invention encourages 45 
providers to behave in a completely ethical way. The inven- 
tion may provide mechanisms to encourage consumer 
knowledge of the standards of completely ethical behavior 
and knowledge of the standards kept by individual provid- 
ers. The invention contains mechanisms to defeat and dis- 50 
courage criminal attacks on privacy and to defeat and 
discourage unethical behavior. 

In a typical implementation, the invention has several 
mechanisms to promote and enforce completely ethical 
behavior. 55 

First, by encouraging subscription to trusted advice sites, 
the system encourages users to be aware of the quality of a 
site. One important component of quality is ethical quality. 

Second, the Better Advice Bureau provides a mechanism 
to issue advisories warning against imcthical sites. The 60 
Better Advice Bureau maintains an openly accessible list of 
objective causes for counter advisories. This list makes it 
clear to consumers and providers the types of behavior 
which result in counter advisories. In this way, providers 
receive guidance about what constitutes unethical behavior. 65 
Those providers wishing to preserve public trust act ethi- 
cally. 
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Third, the invention may frustrate attempts to violate the 
privacy intent of the protocol. As described below, all legal 
threats to the protocol have effective responses from the 
invention, and a provider must engage in criminal activity to 
violate the communications protocol. 
Privacy and AEUP 

The invention uses a protocol (AEUP) for information 
exchange over open public networks which imposes a much 
higher standard of information ethics than the current indus- 
try standard. In addition, the protocol protects against certain 
outright criminal behavior. 

The goal of AEUP is that: 

Information on the machine stays on the machine. 

That is, information about the consumer's computer or its 
environment which has been accessed by inventbn is not 
distributed to outside parties without explicit consent. In 
physical terms, AEUP provides a one way membrane 
between the consumer computer and the outside world. 
During unattended operation: 

Information flows in, but no information flows out of the 
consumer computer. 

This design constraint is expressed in four principles: 

(PRIV-a) The act of subscription does not divulge the 
user's identity or attributes. 

(PRIV-b) The act of gathering advice does not divulge the 
user's identity or attributes. 

(PRlV-c) The act of evaluating relevance does not divulge 
the user's identity or attributes. 

(PRIV-d) The act of passively viewing a relevant advisory 
does not divulge the user's identity or attributes. 

When operated under AEUP, all automatic unattended 
operation preserves the privacy of the user's identity and 
attributes. The following discussion describes the ways in 
which AEUP and the overall invention process enable 
(PRIV-aHPRIV-d). 

(PRIV-a) Privacy in the Act of Subscription 

Under AEUP, the information that a certain user is sub- 
scribing to a certain advice site is known only to the user and 
to his advice reader. This requires clarification. In common 
usage, the word subscription implies a sort of registration 
process by which a user identifies himself to a provider as a 
subscriber. Under AEUP, there is no such registration pro- 
cess. There is no need for it. Advice is made freely and 
anonymously available in the same way that Web sites make 
Web pages available freely and anonymously. The subscrip- 
tion process is an interaction between the user and the user's 
own advice reader, not between user and some external 
advice provider. The advice reader operating on the user's 
computer obtains from the user the seleaion of advice sites 
of interest and stores those on the user's computer only as 
part of a database maintained locally by the subscription 
manager component of the advice reader. That database 
controls the evaluation of advice, causing the advice gath- 
erer to gather advice periodically from some sites and not 
from others. Subscription is a private matter. 
(PRIV-b) Privacy in the Act of Gathering 

Under AEUP, the act of gathering advice does not reveal 
information that a certain consumer is interested in certain 
things, or that he has a certain computer configuration. 

It may be objected that an advice site can learn about the 
identity of a subscriber from the fact that the subscriber's 
advice reader frequently gathers information from the site. 
However, in typical implementations, the only thing that can 
be learned from the act of gathering is that a connection to 
an advice site has been made from a certain IP address. 
Under current network protocols most consumers have 
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dynamic IP addresses, and so the correlation between IP 
address and identity is weak, lasting typically a few minutes. 
Hence, the information in an IP address is generally of little 
value. 

Moreover, consumers with static IP addresses who do not $ 
wish to divulge their true IP address may use a proxy server. 
Proxy servers are a well known tool by which certain IP 
client-server transactions are replaced by a three-party 
client-proxy-server interaction, with the proxy requesting 
data of the server and routing it anonynaously to the client. 
To the server, it appears that the proxy is the client To the 
client, it appears that the proxy is the server. There is never 
any direct contact between the server and client. The server 
never obtains the identity of the cUent, ie. its IP number. 

The invention, in one implementation, is configured to 
offer universal proxy service to all users, and the advice 
reader offers to the user, as one optional means of 
connection, the use of such a server. In such an 
implementation, Better Advice Bureau.org or another cen- 
tral authority offers an anonymous advice gathering server 
which accepts advice gathering requests from users, strips 20 
them of retum addresses, routes them to advice sites, and 
forwards the returned information to the user. This mecha- 
nism conceals the IP address of the user. 

The act of gathering may be thought to divulge informa- 
tion because the gatherer selects only certain documents is 
from among those available at the advice site. This objection 
is based on a misunderstanding of AEUP. In a typical 
implementation, the advice gatherer always accesses all 
documents available at a certain site, which are not akeady 
present on the consumer machine. No selection of any kind 30 
is performed at gathering time. Relevance is determined 
only after all the advice has been gathered and stored on the 
consumer computer. The only correct inference that can be 
made from the behavior of the advice gatherer is that the 
consumer has an ongoing subscription to that site. 35 

This approach is very different from cuxrcntly popular 
approaches to obtaining relevant information using Internet. 
In the currently popular approach, the user fills out a form 
expressing, for example, preferences, characteristics, and 
system configurations. This form is sent to the server. The 40 
server then responds to the consumer in a focused way, 
based on the information that was contained in the form. 
This standard process reveals information about the con- 
sumer to the server. 

In the invention's approach, the consumer's preferences 45 
and configurations are kept confidential on the consumer's 
machine. All of the advice offered by the site is brought to 
the coosimier machine and is then evaluated for relevance 
privately. 

(PRIV-c) Privacy in the Act of Evaluating Relevance 50 

The relevance or irrelevance of a given piece of advice 
can signal a great deal of information about an advice 
consumer's computer and its environment. A very narrowly 
focused condition, specifying contents of the user profile, 
and contents of specific files can, if true, convey a great deal ss 
of information about the user. 

If the advice reader allows the fact of relevance or 
irrelevance of an advisory to leak out of the reader to the 
outside world, it compromises the consumer's privacy. If 
this happens during unattended operation, the outcome 60 
might be very serious because many thousands of advisories 
are being evaluated for relevance. If there is a mechanism 
for systematically discovering the relevance of an arbitrary 
collection of many pieces of advice, a complete profile about 
the consumer and his environment leaks out. 65 

In a typical implementation, the advice reader's relevance 
evaluation process has as its only externally observable 
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effect a resulting change in the state of the user interface. 
The user is notified when a certain piece of advice has 
become relevant, and that is all. In a typical implementation, 
the simple fact that something evaluated to relevant causes 
no activity outside of the tiser's computer which can be 
observed by others. There is a possible exception to this 
when remote inspectors are available. See below. 
(PRI V-d) The Act of Passively Viewing a Relevant Advisory 
does not Divulge the Users Identity or Attributes 

Reading a text file in the privacy of one's own interaction 
with one's own computer does not offer any breach of 
privacy. No one in the outside world need know that one has 
read the file. However, reading a Web page is a different 
matter. A hole in the one-way privacy membrane maintained 
by invention is opened by the careless offering of HTML or 
other hyperlinked media as a valid type of advisory content 
in the explanatory component of the advisory. The discus- 
sion below describes the hole and its consequences, and 
describes why the invention, in a typical implementation, 
does not leave this hole open. 
Constraints on Solution Operations 

The final step in the advice processing chain is the 
application of a recommended solution operation. Becatise 
this operation can be an essentially arbitrary operation, it is 
not possible for the invention to control the effects of this 
operation. In particular, the recommended operation 
includes electronic correspondence with the advice author, 
divulging identity and attributes. For this reason, there is a 
design constraint: 

(PRIV-e) In typical implementations, the advice reader 
does not apply recommended solution operators auto- 
matically. They may only be applied after user 
approval. 

Because of the wide-open nature of solution operators, the 
consumer plays an important role in protecting his own 
privacy. The act of applying a recommended solution opera- 
tion may divxilge the consumer's identity or attributes, 
whether the consumer knows this or not. An unethical advice 
author can create mole solution operators which, while 
claiming to do one sort of operation, could in fact be 
conducting electronic correspondence covertly, without 
informing the consumer. The consumer should only agree to 
apply solution operations which come from authors he trusts 
to behave in an ethical fashion. 
Remote Inspectors: Plugging Leaks 

In one implementation, there is a potential violation of the 
privacy of the relevance evaluation process, based on the 
assumption that advice reader allows conditional evaluation 
of and clauses, and the assumption that relevance clauses 
may refer to conditions which are verified by making queries 
to other computers and/or other devices remote from the 
computer on which the advice reader is running. A careless 
implementation of a remote inspector creates network activ- 
ity that is observable to the outside world, and from which 
activity the value of certain relevance clatises is inferred. 
Inspectors which cause network activity are by no means 
central to the invention, and this particular privacy threat 
therefore affects only certain implementations of the inven- 
tion. (Compare discussion of Cbvert Channels in Pfleeger, 
Security in Computing) 

Consider an eavesdropper who would like to learn about 
the value of a relevance clause R when evaluated for 
relevance on a certain advice consumer's machine. Suppose 
that the eavesdropper operates an advice site which is trusted 
by the consumer and subscribed to by the advice reader, so 
the eavesdropper can introduce advice onto the machine. 
Suppose that the eavesdropper knows that the advice reader 
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contains an inspector which, when invoked via clause I, that a clause R was true. This makes it impossible in a 

generates network activity across a piece of the Internet particular instance to determine whether R was actually 

under control of the eavesdropper. For example, suppose true for the user in question. 

that the eavesdropper has system level access to a node of Always force evaluation of subexpressions involving net- 

thc Internet in a direct path between the consumer machine 5 work activity. The advice reader is configured so that 

and a destination machine that is queried as a result of a each inspector has an attribute Remote-Activity which 

certain inspector call. The eavesdropper is then in a position is set in case the inspector causes activity off the 

to program the IP transport logic at the node under his machine running the inspector. The advice reader, in 

control to take note of the existence of IP irafiGc between the parsing a relevance clause, identifies those subexpres- 

consumer and the destination. jq which have attribute Remote-Activity and forces 

In this hypothetical situation, the eavesdropper is in a evaluation of those subexpressions, 
position to author advice asserting R and I and to publish the Decouple network activity from relevance evaluation, 
advice at his advice site. After this advice is gathered by the Inspectors with the attribute Remote-Activity are con- 
consumer machine, it is evaluated automatically for rel- strained to work only on cached data, using queued 
evance. j5 requests, to a prespedfied location or collection of 

In one implementation of the advice reader, the evaluation ^ locations. This means that an inspector, when receiving 

of a clause A and B stops immediately as soon as A is ^ request for an attnbute determinable only remotely, 

determined to be false because it is not necessary to know can check a local cache^If the answer is found m the 

the value of B to finish the evaluation of the phrase. As soon cache, it responds with the answer. If Oie answer is not 

..j^ -j.uri 41. u A JT.-1 found m the cache, the request IS placed m the queue for 

asAisdetermmcdtobefalsc^thephraseAandBisknown ao future evaluation. Independently, a process runs 

to have the value False^ Tins scheme is referred \o as according to a fixed schedule, e.g. once per day, which 

conditional evaluation. There are implementations of the communicates with a fixed list of remote machines, and 

advice reader that do not perform condiUonal evaluation. ^tiich at that time processes all requests that have been 

These schemes always evaluate all subexpressions of an cached in the last day. In this way, relevance evaluation 

expression before inferring the value of the expression. The 25 per se causes no network activity outside of regularly 

decision to use conditional evaluation in an implementation scheduled activity. 

is based on performance considerations. Advice readers An appropriate combination of these mechanisms can 

using conditional evaluation typically run faster. safeguard the privacy of relevance evaluation, even in the 

Assuming that the advice reader implements conditional indicated context of criminal eavesdropping, 

evaluation as described above, then the network activity 30 HTML: Plugging Leaks 

prompted by the clause I only occurs if the clause R The final appearance of a typical modem HTML docu- 

evaluates to True. The eavesdropper is in a posiUon to mcnt is the product of several files rather than a single one. 

observe this network activity, and hence to infer that clause jhe HTML document itself gives a kind of logical skeleton 

R evaluates to True. Information about the consumer has of the display, and an inventory of the textual component, 

leaked out of the consumer's computer due to the relevance 35 and a collection of links to various graphics and multimedia 

evaluation. £les^ which provide the visual components. In traditional 

In discussing this hypothetical situation, it should be Web browsing practice, a Web browser constructs the ren- 

noted that eavesdropping activity of the sort described dered image in a series of stages. First the HTML file is 

constitutes a form of electronic stalking and may be illegal. gathered and the skeleton of the document is rendered. If the 

Such situation requires either that the trusted advice author 40 HTML document refers to remotely located multimedia 

be himself an eavesdropper, engaging in conspiracy with the flies, then the Web browser begins to gather those files. After 

eavesdropper, or does not act to prevent unauthorized advice the files arrive, they are used to format and render the final 

from being injected in his name, for example by signing his display. 

advice. The advice consumer may protect himself from this Suppose that an advice provider has authored an advisory 

threat by subscribing to trustworthy sites only, i.e. sites 45 containing an HTML file making references to files located 

meeting the standard of completely ethical behavior. on the advice providers server in its explanatory component. 

The advice consumer may also protect himself from this Suppose also that the advice reader behaves as a traditional 

threat by configuring the advice reader to restrict the domain Web browser in rendering HTML. At the moment that the 

of allowed relevance checking to a domain where he has consumer reads the advisory, the underlying graphics files is 

physical control. In extreme cases, this means limiting 50 gathered from the advice server. In other words, there is 

relevance to check conditions verifiable only on the machine noticeable activity at the advice server caused by the fact of 

where the advice reader is running. reading an advisory. If the advisory is irrelevant, the HTML 

There are presently four mechanisms whereby the advice not rendered and, because the unrendered HTML never 

reader can allow network activity and yet protect against this leads to a gathering of the multimedia file, the server can 

type of eavesdropping. 55 infer from this activity that an advisory evaluated to rel- 

Disallow conditional evaluation of clauses. The advice evant. This constitutes a leak of information through the one 

reader is configured to avoid conditional evaluation. In way membrane, back horn consumer to provider 

that event, no infonmation about relevance evaluation is A completely ethical advice provider must not take any 

revealed by the existence of observable network activ- notice of this activity. However, a merely ethical advice 

ity between consumer and destination. 60 provider could, in principle, exploit this fact to Icam some- 

Randomly reorder subexpressions for conditional evahi- thing about the consumer population. Indeed, such an advice 

ation. In evaluation of a clause A and B, the parser provider can author an advisory referred to a special mul- 

randomly reduces the clause to the equivalent of (& A timedia file, pointed to only by this advisory. Counting the 

B) with probability 1/2, and to perform (& B A) with number of references to the multimedia file, and dividing by 

probability 1/2. When this is done, the fact that remote 65 the number of gathers of the advisory itself, one can obtain 

network activity occurs in evaluation of the clause R an estimate of the fraction of the consumer population which 

and I implies that either a fair coin was tossed heads or exhibited a certain combination of circumstances. 
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However the invention, in a typical implementation, takes 
steps to frustrate this sort of activity. Inducing leaks of this 
kind is considered less than completely ethical because, 
combined with other unethical behavior, it can compromise 
individual privacy. It is true that such leaks have an innocent 5 
and useful application. As long as no correlation is made 
between the information leaking back and individual 
identity, one could argue that the leak can be made to serve 
a constructive purpose of informing the advice provider 
about the user population in general. However, the existence jq 
of such a leak creates a temptation to perform such a 
correlation, which leads to serious privacy abuses. 

There is another mechanism available by which the 
invention offers similar feedback to advice providers while 
protecting individual privacy, i.6. randomized response. To 
discourage attempts to exploit leaks caused by HTML, a 
typical implementation of invention can employ one or all of 
three mechanisms: 

HTML-A Proxy server. By working exclusively through 
a proxy server, the advice reader can destroy all cor- 20 
relation which might otherwise be visible at the advice 
site between identity of gatherer and fact of gathering. 
In effect, the advice reader is requesting the multimedia 
file from the proxy server rather than the original site. 
In one implementation, the proxy server caches the 25 
multimedia file locally and so serves many requests for 
the multimedia file while only asking for the file once 
from the advice site. Advice sites may find this arrange- 
ment advantageous because it minimizes the load on 
their own server. In return, they lose the ability to make 30 
population attribute prevalence studies, or to make 
correlation between identity and attributes. 
HTML-B Immediately gather all multimedia. In one 
implementation of the invention, the gathering process 
includes the automatic downloading of all multimedia 35 
files referred to in the HTML of an advisory. This 
works as follows: Apreliminary parsing of the advisory 
leads to a listing of all multimedia files referred to in the 
HTML source of the explanatory component of the 
advisory. The advice gatherer gathers those files 40 
immediately, ensuring that if the advisory ever 
becomes relevant, the file is available locally. For this 
implementation of invention, there is no connection 
between the fact that a file was gathered and the 
possibility that a certain advisory may be relevant, 45 
Mechanisms (HTML-A) and (HTML-B) may be used 
simultaneously. That is, a proxy server may gather advice on 
behalf of a client, and also all multimedia files referred to in 
any HTML source contained within that advice. The con- 
sumer advice reader initially gets only the advisory files, and 50 
not all the multimedia files. At the proper time, the multi- 
media files are gathered from the proxy server. In this way, 
there is again no connection between the fact that a file was 
gathered and the possibility that a certain advisory may be 
relevant. 55 
HTMI^C Download multimedia at random. In one imple- 
mentation of the invention, the gathering process 
includes the random downloading of some multimedia 
files referred to in the HTML of some advisories. This 
works as follows: Apreliminary parsing of the advisory 60 
leads to a listing of all multimedia files referred to in the 
HTML source of the e3q)lanatory component of the 
advisory. The advice gatherer periodically gathers a 
few randomly selected files torn that list. This ensures 
that, for any advisory that an advice author publishes, 65 
a large fraction of the multimedia files are accessed, not 
for reasons of relevance, but due to outcomes pure 



chance experiments. Partially, this ensures that among 
those customers where an advisory becomes relevant, 
for many of them the file is already available locally. 
Under this implementation of the invention, there is no 
logical connection between the fact that a file is gath- 
ered and the possibility that a certain advisory is 
relevant. Whatever coimection there may be is proba- 
bilistic and could be made rather weak by appropriate 
choice of the frequency of random downloading. 
Support for Privacy Ethics 

There are three meta-principles in the invention which 
help to enforce information ethics. 
Ethical sites. Consumers should only subscribe to advice 
sites known to behave in an ethical fashion. Many con- 
sumers configure their advice reader to subscribe mainly 
to advice from large concerns which manufacture goods 
and services of interest to the consumer. For example, a 
computer manufacturer, a software publisher, or the pro- 
vider of Internet service. Subscription to substantial orga- 
nizations of this type is a reasonably secure practice. Such 
organizations have an interest in providing trustworthy 
advice so that they maintain rapport with their consumers. 
Few risks are posed to advice consumers who subscribe to 
advice authored by such concerns. 
Clear definition of ethics. The Better Advice Bureau is a 
fundamental tool for encouraging ethical behavior of 
authors. All users subscribe to this site. TTiis site compiles 
counter advice, informing users about unethical sites and 
about unethical advice which has been circulating. Better 
Advice Bureau defines a solution operator as unethical if 
it involves divulging information to the author without 
first informing the user that information is to be divulged 
or without informing the user accurately about the nature 
of the information that is to be divulged. If pieces of mole 
advice are circulating which behave unethically, and they 
come to the attention of Better Advice Bureau.org, it may 
release coimter advisories against them. Hence, the Better 
Advice Bureau functions in some respects as an privacy 
protection system for the invention, allowing the correc- 
tion of unethical situations. 
Clear labeling of side effects. To make the definition of 
ethical behavior clear, and deviation from ethical behavior 
clear, the Better Advice Bureau describes a set of labels to 
be attached to advisories, indicating the potential side 
effects of solution operators. These labels indicate: 
The critical subsystems which may be affected by the 

advisory's proposed solution. 
Whether information may be revealed by using the advi- 
sory's proposed solution. 
What types of information may be so revealed. 
If information may be revealed, whether it may be used 

for marketing/mailing. 
If information may be revealed, whether it may be shared 

with other companies. 
Completely ethical behavior demands that advice authors 
label their advice according to its effects on potential con- 
sumers. Better Advice Bureau considers it grounds for a 
counter advisory if an advisory is mislabeled. Persistent, 
concerted efforts to misinform are considered by Better 
Advice Bureau grounds for a site counter subscription 
advisory. 

Alternate Client-Server Interactions 

A key component of the invention is the synchronization 
between consumer and provider site images. This happens 
according to AEUP. However, there are other embodiments 
of the basic invention in which synchronization is effected 
by different means. These are described below. 
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Anonymous Selective Update Protocol 

Under this protocol, the act of subscription and the act of 
synchronization are both anonymous as in the AEUP. 
However, the update process is selective rather than exhaus- 
tive. 5 
ASUP Definitioa 

Under ASUP, each advisory message is abstracted into a 
short form consisting of at least a message identifier refer- 
ring to the original advisory, the relevance clause of the 
original advisory and, potentially, other information, such as lo 
a subject line. Under this protocol, the advice server, in 
addition to directory messages and whole advisory files, also 
serves to the advice reader the abstracts of one or many 
advisories. 

Under ASUP, the gathering process changes. The advice 15 
reader, instead of ensuring that it has the entire body of each 
advisory of the advice site, ensures that it has at least the 
abstract for each message. It does this by issuing requests for 
all the abstracts of all the advisories that are new since the 
previous synchronization. 20 

Under ASUP, the advice database changes. The database 
contains two kinds of entries: full advisories, and advisory 
abstracts. 

Under ASUP, the advice reader schedules relevance 
evaluation for all the relevance clauses it has obtained, both 25 
those clauses contained in full advisories and those clauses 
contained in abstracts. 

Under ASUP, a relevant advisory can trigger a new round 
of contact between advice reader and advice site. Depending 
on the configuration, the advice reader, either in anticipation 30 
of the user wanting the full advisory or after a direct user 
request, establishes a connection with the advice site, and 
requests the bodies of certain advisories. 

The result of this protocol is that, whereas the consumer's 
advice reader accesses and evaluates all the published rel- 3s 
evance clauses, it does not download all the published 
advisories. 
Analysis of ASUP 

This protocol can be advantageous if the pubhshed advi- 
sories consume considerably more storage than the 40 
abstracted advisories. It saves the consumer time in access- 
ing a large body of advisories and saves the provider time in 
serving requests. A potential drawback of this protocol is the 
possibility of compromises of consumer privacy. Under the 
ASUP protocol, it is conceivable that an advice provider 45 
aUempts to make inferences about the consumer based on 
observing the advisory files requested and not requested by 
the advice reader. If the protocol is implemented exactly as 
described above, the consumer never requests the entire 
advisory when the clause is not relevant and always request 50 
the entire advisory when the clause is relevant. An advice 
provider whose intent is to leam information about a specific 
consumer, in principle, correlates server requests for full 
advisories with IP addresses from which they came, infer- 
ring that requests signify the relevance of the corresponding 55 
advisory on the corresponding computer. If the IP address is 
permanently assigned to a certain consumer computer, the 
provider in principle correlates such requests with consumer 
identity. In this way, information about the consumer may 
leak back to the server. 60 
Privacy Protection Under ASUP 

Random gathering. The potential for information leaks is 
reduced by having the advice reader request full advi- 
sory bodies for some advisories whose relevance 
clauses are not relevant. This is done by a randomiza- 65 
tion mechanism. Each fiill advisory body is requested 
with a probability p, where p is a specified number 
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Proxy server. The potential for information leaks is 
reduced by having the advice reader request full advi- 
sory bodies via a proxy server, which anonymously 
forwards advisory body requests to the advice site, and 
thereby masks to the advice site the identity of the 
requester. A centralized proxy server, for example 
located at the Better Advice Bureau or at advisori- 
es.com is made available for this purpose. 
Proprietary server. The potential for information leaks is 
reduced by restricting the supply of server software. If 
the only server software which works with the inven- 
tion protocol does not to make correlation between 
consumers and the advisories they request, and also 
does not log the requests, and if the users of the server 
software do not attempt to frustrate the intent of the 
proprietary protocol by eavesdropping on the server- 
reader transaction, then there is no disclosure of per- 
sonal information to the server as a result of ASUP 
The supply of server software can be restricted by modi- 
fying the reader/server iateractioa so that a certain security 
handshake is mandatory. By using digital encryption tech- 
nology as part of the security handshake and by restricting 
access to the appropriate security handshake keys, one 
restricts access to the ability to build server software. 

Prohibitions against eavesdropping on client-server inter- 
actions can be enforced contractually. Valid server software 
may be made available only on condition that recipients do 
not eavesdrop. 

Hence there are several avenues to safeguard privacy 
under ASUP. 

NonAnonymous Exhaustive Update Protocol 

In certain settings, the concept of anonymous subscription 
is not workable, for example because advisories are made 
available only on a for-pay basis, and the reader/server 
interaction includes a handshake segment in which the 
reader must qualify himself as a paying customer. A variant 
on this scenario is in providing advice to members of a club, 
where members are not in any narrow sense paying for the 
advice subscription itself, but need to be members to qualify 
for the advice. 

The non-anonymous exhaustive update protocol (NEUP) 
is applied in a non-anonymous setting where a subscriber 
exhaustively updates downloading all new advisories at each 
synchronization. Under NEUP, the consumer's privacy is 
protected in the following sertse: While the fact of the 
consumer's subscription is known to the provider, the rou- 
tine act of gathering advice and evaluating relevance does 
not reveal information about the consumer to the provider. 
NonAnonymoxis Selective Update Protocol 

In certain settings, the concept of anonymous subscription 
is not workable and the use of exhaustive updating is not 
workable, either because there is a very large body of 
potentially relevant advisories to consider or each advisory 
is rather large in size, and very few of the advisories are 
likely lo be relevant, so consumers and providers are not 
willing to devote extensive resources to exhaustive updat- 
ing. 

The non-anonymous selection update protocol (NSUP) 
provides this non-anonymous setting where the advice 
reader selectively updates, obtaining first abstracted 
advisories, evaluating relevance, and later downloads rel- 
evant advisories. 

The NSUP by itself gives the consumer no guarantees 
privacy from the provider. The fact of the consimier*s 
subscription is known to the provider and the routine act of 
gathering advice and evaluating relevance reveals to the 
provider which relevance clauses are True. Under NSUP, 
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there are several mechanisms for helping to protect con- implementation, advice sites e-mail their new advisories to 

sumer privacy, e.g. randomization, proxy server, and pro- the central remailer site, which in turn e-mails them to a 

prietary server. mailing list which is kept confidential, consisting of indi- 

Alteraate Advice Distribution viduals who have contacted the central site and established 

Centralized Advice Server s a subscription relationship. In this implementation, there is 

In one embodiment, a single centralized site stores the a new form of advisory specially designed for retracUon, 

advice offered by many different advice providers, with the Advice sites handle retraction of advice by e-mailing retrac- 

different advice sites actuaQy serving as different snbdirec- tion advisories to the central remailer site, which in turn 

tories of a single file system. All advice readers operating on e-mails them to the maiUng list. 

consumer computers synchronize their site images by con- lo Under this arrangement, the advice reader cooperates with 
tacting this centralized site and requesting resources, such as the e-mail reader on the consumer computer and with the 
advisories, from this site. In practice, the single site actually consumer's e-mail reader configured to filter advice auto- 
consists of a collection of computers minoring each other's matically into a mailbox designated for advice reader access, 
functions and contents. Xhe advice reader performs site synchronization, not by 
This arrangement has an impact in two areas: ^5 contacting the original advice site, but instead by interpret- 
Privacy. This arrangement prevents providers from learn- ing the contents of the mailbox that have arrived since the 
ing about the identity or about any relevance attributes previous synchronization. 

of any consumers by insulating consumers from pro- This approach is particularly suited for working with 

viders. In particular, the ASUP protocol is safe in such P0P3 Internet mail servers. This arrangement is essentially 

a setting, provided the central advice site does not log 20 an implementation of the AEUP protocol using e-mail, 

or analyze reader-server transactions. Neither the fact that a certain consumer has a subscription 

Security. This arrangement limits advice sites to those nor the fact of a certain advisory is relevant is generally 

satisfying certain standards imposed by the central available to the advice provider. 

server management by restricting the supply of advice Under this arrangement, the one way membrane that 

sites, and thereby ensures that advice sites are run by 25 AEUP provides is made particularly clear to consumers, 

typically responsible organizations. Consumers understand that the advice site need not know 

The centralized site allows advice providers to update the that they subscribe to the site and that there is never direct 

contents of their sites on the centralized server by use of IP traf&c between the consumer machine and the advice site, 

standard methods, such as FTP or related file transfer They can see, by inspecting the plain text of the mail, that 

methods. 30 advisories are not coming to them directly from the advice 

Centralized Proxy Server site, but instead are transferred anonymously to them from 

In one embodiment, a single centralized site is available the centralized advice remailer. 

to act as a Proxy server for all advice readers. There is a A potential weak spot in this arrangement is the existence 

widely distributed base of advice sites. However, many users of a secret mailing list whose secrecy is compromised. To 

do not go to those sites individually. Instead, they configure 35 inspire consumer confidence, it is best that the centralized 

their advice reader to get all advisories via the centralized remailer is operated by a trusted consumer minded authority, 

proxy server. This is particularly true of users concerned By insulating consumers from providers, this arrangement 

about privacy violations. prevents providers from learning about the identity or about 

The centralized proxy server caches the advice offered by any relevance attributes of any consumer who participates in 

many different advice providers. Advice readers on con- 40 this arrangement and who do not choose to disclose anything 

sumer computers request the proxy server to make available to the providers voluntarily, 

resources, such as advisories, from certain advice sites. If USENET Advice Diffuser 

those resources are available on the proxy site, they are In one embodiment, advice distribution operates via 

served immediately to the user. If they are not available, the USENET news transport. 

original site is queried for the resources, which are both 45 The advice site architecture described above is main- 
forwarded anonymously to the user, and also placed in the lained. There is a widely distributed base of advice sites, 
proxy site cache. The ad\'ice site includes a method to signal However, many readers do not contact those sites directly, 
the centralized proxy site when the original site is changed. Instead, they get advice by USENET. In this 
indicating that it is time to flush the cache (see Hallam- implementation, a whole collection of USENET newsgroups 
Baker, Phillip M. (1996) Notification for Proxy Caches, 50 is created, e.g. one per advice site. The advice site, from time 
World-Wide -Web Consortium Technical Report, http:// to time, posts new advisories to USENET, which, in turn, 
www.w3.org/TR/WD-proxy). cause the new postings to be distributed worldwide to all 

This arrangement addresses consumer privacy concerns. machines that operate as newsgroup servers. 

By insulating consumers from providers, this arrangement Under this arrangement, the advice reader then performs 

prevents providers from learning about the identity or about 5S site synchronization, not by contacting the original advice 

any relevance attributes of any consumers. In particular, site, but instead using USENET protocols to contact a 

even the ASUP protocol is safe in such a setting, provided newsgroup server and access new postings in certain news- 

the central advice site does not log or analyze reader-server groups. 

transactions. This arrangement is essentially an implementation of the 

Centralized Anonymous Advice Remailer 60 AEUP protocol using USENET. Neither the fact that a 

In one embodiment, advice distribution operates by the certain consumer has a subscription nor the fact of a certain 

use of Internet e-mail transport, routed througji a centralized advisory's being relevant is generally available to the advice 

remailer by the use of anonymous mailing lists. provider. 

The advice site architecture discussed above is main- Under this arrangement, the one way membrane that 

tained. However, there is a widely distributed base of advice 65 AEUP provides is made particularly clear to oonsimaers. 

sites. Many readers do not contact those sites directly. Consumers understand that the advice site need not know 

Instead, they get advice by anonymous mail. In this that they subscribe to the site and that there is never direct 
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IP traffic between the consumer machine and the advice site. 
In fact, because the act of receiving news via USENET is 
anonymous, there is not even a mailing list anywhere and so 
there is no centralized information base linking them to the 
advice site. S 
Software Channels 

In possible embodiment, advice distribution operates by 
the use of what are commonly referred to as channels by 
push providers, such as Backweb, Marimba, and PointCast 
(see Ellerman, Castedo (1997) Channel Definition Format, lo 
World-Wide -Web Consortium Technical Report, http:// 
www.w3.org/TR/N0TE-CDFsubmit.html). In another 
embodiment, advice distribution operates by the use of 
e-mail mailing lists. In either case, the distribution method 
is referred to as a channel. The logical relationships are the 15 
same. Nothing of importance changes below if every occur- 
rence of the word channel is changed to maihng list. 

The advice site architecture discussed above is main- 
tained. There is a widely distributed base of advice sites. 
However, some readers do not contact those sites directly. 20 
Instead, they receive advisories through channels. In this 
implementation, a whole collection of channels is created, 
perhaps one per advice site. Hie advice site from time to 
time pushes new advisories to its channel which, in tum, 
causes the new offerings to be distributed worldwide to all 25 
machines that subscribe to that channel. 

Under this arrangement, the advice reader perform site 
synchronization by listening for incoming data on the 
channel, and processing the incoming advisories as they 
arrive. 30 

This arrangement is essentially an implementation of the 
NEUP protocol. Under some implementations of channels, 
the fact that a user has a subscription is known to the content 
provider. Typically, the fact a certain advisory is relevant is 
generally unavailable to the advice provider. 35 

Under this arrangement, the one way membrane that 
AEUP provides is made particularly clear to consumers, if 
channel providers offer truly one-way channels and explain 
this to consumers. For example, mailing lists are well 
understood by constmiers to offer what is typically a one- 40 
way communication. Consumers understand that communi- 
cation only becomes two-way when the consumer wishes to 
initiate contacts in the other direction. 
Alternate Mechanisms to Promote Consumer Trust 

So far it has been assumed that the primary concerns that 45 
a consumer might have about privacy must be solved 
technologically. The viewpoint has been that it is only 
possible to protect consumer privacy by developing a system 
which renders it literally impossible for advice providers to 
make valid inferences about the relevance of certain advi- so 
sories to specific consumers. It is an important achievement 
to be able to insulate consumers in this way. However, this 
insulation comes at the cost of certain constraints. In 
addition, some consumers may not be able to accept that 
there exists a purely technological solution to the privacy 55 
problem, and those consumers may suspect that any tech- 
nological solution inevitably has failings, i.e. leaks from 
time to time. Such consumers worry about what happens if 
a leak occurs, and are not persuaded by technologist's 
assurances that no leaks can occur. Such consumers might be 60 
more reassured by explicit pledges on the part of advice 
providers that leaks would not be exploited by the providers. 

A way to address consumer concerns about advice pro- 
vider intentions is to restrict the population of advice pro- 
viders to just those providers who have signed and who are 65 
fulfilhng a contract to behave in ways which offer consumers 
guarantees. This has three components: 
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Ethical Standards. A fundamental document is made avail- 
able providing a well known definition of ethical behav- 
ior. Certain advice providers have signed this document 
and deposited it with a central authority, such as Better 
Advice Bureau, which publishes the identities of signers. 

User Interface. Users are given an option to restrict inter- 
actions just to providers who are known to follow the 
ethical standards. 

Restriction of Server Privileges. The reader/server interac- 
tion is protected by a proprietary handshake mechanism, 
and access to the appropriate reader/server handshaking 
secret codes is licensed only to those who have signed the 
agreement on ethics. There are two natural ways this is 
done: 

By a centralized server strategy, in which advice readers 
have their functioning restricted by a handshaking 
mechanism so that they can only interact with a cen- 
tralized advice server, serving advice only from those 
sites known to be obUgated to follow ethical standards 
and known to be in compliance. 
Following a proprietary server strategy, in which advice 
readers can only interact with advice servers having the 
appropriate handshake, and the handshake is known 
only to servers at ethically bound advice sites. 
In summary, there are some providers who have signed an 
agreement making a contractual guarantee of privacy to 
customers. There are some consumers who want to deal only 
with such providers, and there is a technological mechanism 
to restrict advice reader access to those providers. 
Alternate Relevance Evaluation Models 
The General Picture: State Comparison 

In effect, a relevance clause is an assertion about the state 
of a computer or of its environment or of the state and 
enviromnent of computational devices reachable from the 
computer. The relevance language provides a way for an 
author to describe components of the state of a computer. 
However, there are other ways that components of the state 
could be described. 

The advice reader and the associated inspector libraries 
give a way to compare a description of the state with the 
actual state. However, there are other ways that components 
of the state could be compared with a description. 
Community of Watchers 

An alternate method of state description might rely on a 
community of watchers, i.e. specialized applications, each 
potentially with its own unique concerns and architecture, 
which can analyze specific assertions about the computer or 
its environment. Such an application is referred to as a 
watcher. 

Consider a file watcher application that watches to see if 
certain files had appropriate attributes. This appUcation 
maintains a database of assertions. Each entry names a file 
or directory, a list of the specified attributes of the object, a 
specified watching frequency, and a pointer to a message and 
action associated with failure of the assertion. Examples of 
specifiable attributes include existence, name, version, size, 
and checksum. The file system watcher, running continually, 
at scheduled times, or under user control, goes through its 
database of assertions and checks that each entry has the 
asserted status, e.g. each file has the specified attributes. If 
it finds an entry that does not have the required status, then 
it passes information about the failure of the assertion, along 
with the message and actions associated with the assertion, 
to a user interface module. The user interface modxde, a part 
of the watcher application, and an application used in 
common across the whole system, presents to the tiser 
information about failure of the asserted condition and 
relays the associated message and recommended response. 
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A file watcher application also interprets messages mak- 
ing new assertions about the state, or revokes old assertions. 
The receipt of such a message causes the file watcher to 
update its database of assertions to include entries making 
the new assertions or to delete entries making the revoked s 
assertions. The file watcher itself receives these messages 
from a messaging module, which is part of the watcher 
application or an application used in common across the 
whole system. 

A remote author who wants to assert conditions about the 
consumer computer authors messages intended for the file 
watcher application according to a published file watcher 
assertion specifier. This is a database entry homologous to 
the entries in the database kept by the file watcher, or a 
textual description of an entry, using a keyword language or 
other humanly interpretable descriptive device. Such a 
specifier is packaged for transport across networks or by 
other digital transfer mechanism. Such a package is distrib- 
uted to consumer machines by any of the methods enumer- 
ated so far, i.e. AEUP, ASUP, NEUP, NSUP, e-mail, or 
channels. 

Some potential advantages of this approach include: 

Specialization yielding efficiency. A watcher, because it is 
specialized, is written to optimize the speed at com- 
pleting a specialized set of tasks. For example, if a file 25 
system watcher has to watch several files in the same 
directory, it is to do so while making only one directory 
structure access rather than several, thereby saving disk 
operations. It is possible to avoid certain operations if 
it is known what the outcome is based on certain earlier 3Q 
operations. If several different assertions must be tested 
about the same file, it is possible to make a single file 
access to get the information about all of them simul- 
taneously. In addition, if the watcher accepts instruc- 
tions in a predefined format that avoids the need for 35 
parsing, it can evaluate assertions more quickly. 

Specialization yielding expressiveness. A watcher, 
because it is specialized, is written to use a very 
convenient mode of describing a specialized set of 
tasks. For example, if a file system watcher accepted 40 
expressions in a language, that language is designed to 
incorporate well proven useful idioms from other sys- 
tems. Thus, in UNIX, wild cards * , [a-z], ? and related 
constructs are useful in efficiently describing properties 
of file systems, for example, in referring to a large 45 
collection of files with similar but not identical names. 
A file system watcher makes use of such a specialized 
idiom without impacting the design of the interfaces of 
other watchers in the community of watchers. 

Specialized scheduling algorithms. A watcher, because it 50 
is specialized, is written to schedule execution of the 
specialized task set that it addresses appropriately. For 
example, a file system watcher operating in continuous 
watch mode follows a specialized scheduling algorithm 
which is different from the algorithm used for a system 55 
settings watcher. In certain operating systems, for 
example, the file system itself maintains information 
about whether files or directories changed, which is 
used to defer evaluation of assertions because it is 
known that the state of the assertions has not changed 60 
since the previous evaluation. 

Specialization yielding security and privacy, A watcher, 
because it is specialized, is written to block certain 
dangerous or revealing assertions. For example, a file 
system watcher has various user configurable security 65 
and privacy settings, enabling the user to control the 
access to certain files or elements within files. 
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The collection of watchers is large. In addition to file 
system watchers and system settings watchers, files such as 
serial device watchers, printer watchers, and network watch- 
ers are provided. 

Community of Watchers is the Same Invention 

The community of watchers approach is a variation on the 
invention. There are two ways to understand this point. 
As an implementation layer. Notice that in the invention, 
the inspector libraries have their actual implementa- 
tions carried out by variations of such specific watch- 
ers. For example, a file system watcher is built to watch 
various characteristics of various files. This is then 
exploited by the advice reader, as follows: File related 
method dispatches in the advice reader are imple- 
mented as queries to the file system watcher. The file 
system watcher answers each query and records the 
query in its database of assertions. The next time the 
same dispatch occurs, the file system watcher uses its 
specialized caching, scheduling, and optimizations to 
get the answ^er more cheaply, where feasible. In this 
way, the community of watchers is an implementation 
layer for inspectors and the user interface/messaging 
software of the community of watchers is the advice 
reader software. 
As a variant implementation. Another way to see that the 
community of watchers is a related invention is to 
notice that the features which seem most attractive 
about the watcher approach, such as enabling special- 
ized idioms for specialized tasks, are provided tmder 
both approaches. The UNIX patterning idioms are 
implemented by creating a named property of World 
referred to as located files which accepts UNIX-style; 
patterns as the name-specifier string. The fragment: 

not exists Located files "*.mat" whose(acator of it is crcatoi 

which asks for a file in UNIX notation is provided within the 
invention's language through an inspector for the plural 
property located files UNIX-pattern, 
Forest of Concerns as an Optimization Strategy 

The community of watchers approach to state description 
articulates the concept of forest of concerns. Each interested 
author formulates a concern about the state of the consumer 
computer, these concerns are relayed to the computer, and 
the state of the computer is continually reviewed and com- 
pared with those concerns. 

From an cfiSciency and scheduling viewpoint, it is good to 
organize the process of state description around the concept 
of a forest of elementary concerns rather than around the 
concept of relevance clauses. Many pieces of advice may 
have as subclauses the exact same phrase, and it is inef&cient 
to evaluate those subclauses independently. For example, 
consider a pool of five pieces of advice with relevance 
clauses maldng assertions about the directory Adobe Pho- 
toshop. 
The first is: 

exists Folder "Brushes and Patterns" of Folder containing 
Application "Adobe Photoshop 2.5" 
The second is: 

exists Folder "Calibration" of Folder containing V^plica- 
tion "Adobe Photoshop 2.5" 
The third is: 

exists Folder "Color Palettes" of Folder containing Appli- 
cation "Adobe Photoshop 2.5" 
The fourth is: 

exists Folder "Phig-Ins" of Folder containing Application 
"Adobe Photoshop 25" 
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The fifth is: 

exists Folder "Third-Party Filters" of Folder containing 
Application "Adobe Photoshop 2.5" 
In each case, evaluation of the relevance clause requires the 
evaluation of the phrase folder containing Application ^ 
"Adobe Photoshop 2.5". In short, these five clauses do the 
same work five times. 

It is possible to organize things differently, with the 
stirface expressions being analyzed into a minimal collcctioo 
of subexpressions. The collection of these subclauses are lO 
then watched in nonredundant fashion. More concretely, a 
pool of relevance clauses scheduled for joint evaluation is 
parsed into its forest of associated expression trees. This 
collection of trees is analyzed into its maximal subtrees. Two 
subtrees are equivalent if they are literally the same, i.e. the 15 
same method dispatches are applied to the same arguments, 
or are rearranged under valid applications of commutativity 
and associativity to be the same. An expression subtree is the 
child of another subtree if the associated expression occurs 
as a first level subexpression of the other associated expres- 
sion. 

A subtree is maximal if either: 

(a) it has no parents, or 

(b) if it has at least two parents and the parents are 
inequivalent expressions. 25 

The following illustrates the concept with the pool of five 
relevance clauses illustrated above. The first parses into: 
(exists (Folder "Brushes and Patterns" 

(Folder-Containing 

(Application "Adobe Photoshop 2.5") 30 

) 

) 

) 

The second into: 

(exists (Folder "Calibration" 35 
(Folder-Containing 

(Application "Adobe Photoshop 25") 

) 

) 

^ 40 

The third into: 

(exists (Folder "Color Palettes" 
(Folder-Containing 

(Application "Adobe Photoshop 2^") 

) 

) 

) 

The fourth into: 
(exists (Folder "Plug-Ins" 
(Folder-Containing 
(Application "Adobe Photoshop 2.5") 
) 

) 

) 

The fifth into: 

(exists (Folder "Third-Party Filters" 
(Folder-Containing 

(Application "Adobe Photoshop 25") 

) 
) 

) 

Here, the five different relevance clauses arc inequivalent 
because they name different properties. The collection of 
maximal expressions consists of these five expressions, plus 65 
one proper subexpression: 
(Folder-Containing 



50 



55 



60 



(Application "Adobe Photoshop 2.5") 

) 

A watcher organized around the maximal expressions 
operate in a nonredundant fashion as follows: 

Parse all expressions in a collection of relevance clauses 
into expression trees. 

Identify with unique labels those maximal subexpressions 
which have parents. 

Transform each expression tree into a new tree built from 
references to its labeled maximal subexpressions. 

When evaluating relevance, maintain extra storage, 
referred to as maximal-subexpression value storage, which 
records the value of maximal subexpressions for later use. 
When encountering a reference to a labeled maximal 
subexpression, first check this storage to see if a value is 
already recorded. If so, use the stored value. If not, evaluate 
the subexpression, recording the resulting value in the 
storage. 

In more detail, this works as follows: For the pool of five 
relevance clauses above, the maximal subexpression: 
(Folder-Containing 

(Application "Adobe Photoshop 2.5") 

) 

is associated with position one in maximal-subexpression 
storage. Transform a typical relevance clause by making 
appropriate references to this storage. In the case of the first 
of the relevance clauses this works as follows: 
(exists (Folder "Brushes and Patterns" 
(Maximal-Subexpression 1 
(quote (Folder- Containing 

(Application "Adobe Photoshop 2.5") 

) 

) 

) 
) 

) 

In summary, a wrapper referred to as Maximal- 
Subexpression is inserted around the identified maximal 
subexpression. This wrapper method has a first argimient 
which associates the subexpression to storage index one, and 
a second argument which is a quoted-expression. This 
quoted expression is not evaluated prior to the invocation of 
the wrapper method. Instead it is parsed into an appropriate 
representation as an unevaluated data structure representing 
an expression for conditional evaluation which is to be 
passed to the wrapper method as data. The wrapper method 
looks at location one to see if a value is stored there. If so, 
the wrapper method returns that value. If not, the wrapper 
method asks to evaluate the subexpression which it has been 
passed. Upon completion of the evaluation, it stores the 
value in location one of the maximal-subexpression storage. 

Suppose that this relevance clause is the first evaluated 
subexpression in a given advice pool, evaluation of which 
results in evaluation of the subexpression and recording of 
the value of the subexpression in position one of the 
maximal-subexpression storage. 

Now consider the second item in the pool, in its trans- 
formed form: 

(exists (Folder "Calibration" 
(Maximal-Subexpression 1 
(quote (Folder-Containing 
(Application "Adobe Photoshop 2.5") 

) 

) 

) 
) 

) 
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Suppose this clause is evaluated after the previous clause. assertions with the general goal of notifying the user about 

There is no evaluation of the maximal subexpression certain associated messages, where the timing, format, and 

because the wrapper finds that the subexpressions value is other attributes of the notification, including the decision to 

already recorded in storage. notify or not, arc influenced by the results of the specified 

It remains to discuss how one can identify maximal s computations. The broader notion of influencing relevance 

subexpressions in a forest of expression trees. This is appraisal may be implemented by a slight variation on the 

obtained by a tree/forest pruning algorithm. Define as a system described above 

termiDal form any method iovocation which does not depend ^h^ invention, in one embodiment, obtains appraisals of 

on any other method evaluaUo^ for its value. FwniaUy it is ^^^^^^^^ according to non-binary criteria. A v^ell formed 

either a named property of World (Application Adobe . • *i. i i n • • i i 

Photoshop 2.5-), an umiamed property Sf World (System- ^ the relevance language results m numencal values 

Folder), or a constant (string '4x^'). (Integer 1234). ^.^"f .^^^'^^^'^ J^^ if 

The algorithm begins by scanning a pool of relevance equivalent to the numencal value 1,0 and the Boolean Fake 

clauses for all unique terminal forms. It associates to each equivalent to the numencal value 0.0. Suppose that 

unique terminal form a list of pointers to aU locations in the ^^^^ ^^^^ ^ ^^^V ^^vice yield Boolean values, but 

pool where that form occurs. other clauses yield numbers taking values between 0 and 1. 

The algorithm initializes a database of working subex- A value between 0 and 1 is interpreted as indicating a degree 
pression forms as the collection of aU terminal forms, i.e. to of relevance that lies intermediate between certain relevance 
begin with, the working subexpression forms are the termi- and certain irrelevance. In one embodiment, the user inter- 
nal subexpression forms. These are marked for evaluation at face presents to the user advisories graded according to 
the next stage. 20 degree of relevance, with those having value 1.0 at the top 
The algoridim proceeds in stages, each stage transforming of the list and those having value 0.0 at the bottom. This type 
the working subexpression forms to a collection of parent of variation, extending Boolean to Real, is well known under 
forms. The algorithm stops when the working database is the name fuzzy logic. 

empty. At a given stage, it iterates through the collection of In a different embodiment, the outcome of relevance 

all working forms. For each form in the working coUection 25 determination is a categorical label. In this embodiment, 

marked for study at this stage, it considers the collection of True and False are two labels, and the user interface is keyed 

all parent expressions of that expression. This is available to display messages labeled True. However, there are labels, 

because associated with a form is a list of pointers to its such as Attractive Offer or Chronic Household Situation 

occurrences in the pool. Needing Eventual Attention. Such labels result from evahi- 

Among those parent method invocations, it identifies the 30 ation of relevance clauses and, depending upon the user 

unique forms, i.e. the unique combinations of method name interface attached to the invention, such labels lead to 

and method arguments which have the given subexpression different methods of notification or different methods of 

as a first level subexpression. These unique invocation presentation than other kinds of labels. The implementation 

patterns are referred to as parent forms. If there are no parent of a centralized coordination authority such as advisori- 

forms, the subexpression is deleted from the working data- 35 es.com offers a mechanism for publication and coordination 

base. If there is exactly one parent form, the subexpression of such labels. The implementation of user side filtering 

is replaced in the working database by its parent form, the allows the user to associate means of notification to various 

parent form being marked for processing only at the next labels, which means include the possibihty of no notifica- 

stage, and the pointers to the occurrences of the parent form tion. 

being properly calculated, using the previously available 40 In one embodiment of the invention, a layer of extra 

pointers to the children occurrences. If there is more than analysis is inserted between relevance appraisal and user 

one parent form, then a new maximal form is recognized. It interface. Thus, the result of relevance computation may be 

is assigned a maximal-form ID number, and a wrapper fihered based on user preferences and on observation of the 

transformation is made on each e;q)ression that references user. Thus, the relevance computation, rather than determin- 

the form. That is, in all those expressions where the form 45 ing uniquely the notification status of messages, influences 

occurs, a wrapper is inserted around the form according to the notification process. For example, a user side filtering 

the recipe: method (see above) whereby a user suppresses the display of 

(Maximal-Subexpression $1D# (quote $$)) certain messages which are nominally relevant may be 

where IE># is replaced by the ID number of the identified implemented. In one embodiment, such censoring mecha- 

maximal-form, $$ refers to the occ\irrence of the maximal- 50 nisms are applied automatically. An advice reader or other 

form itself, and the (quote) form is the means of preventing application contains a module to observe user behavior and 

immediate evaluation, as described above. make inferences about user preferences which can drive 

The working forms database is then expanded to include such censoring mechanisms. Similarly, in one embodiment, 

each unique parent form of the recognized maximal -form, prioritization mechanisms are applied automatically. An 

with the newly added items marked for evaluation at the S5 advice reader or other application contains a module to 

followingstage,andwith a list of pointers to the occurrences observe user behavior and make inferences about user 

of each parent form in the advice pool. priorities, so that among relevant messages those which are 

At the conclusion of this algorithm, there is a collection more likely to be of interest to the user are displayed carUer 

of transformed expressions in which maximal common or more prominently, 

subexpressions have been identified and where only nonre- 60 Alternate Message Formats 

dundant evaluation is performed. Alternate to MIME Wrappers 

The reader may wish to verify that the algorithm produces The disclosed preferred embodiment uses MIME, a well 

exactly the desired result on the pool of five relevance known Internet standard, as a means of packaging advisories 

clauses indicated earlier. for transport across the Internet and other digital transport 

Alternates to Binary Relevance Determination 65 media, r 

The invention contemplates a situation where messages Another well known means for packaging textual infor- 

arrive and computations are performed to evaluate certain mation for remote interpretation is the XML language. This 
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language also makes possible hierarchical messaging, and is 
able to accommodate message components of the types 
enumerated above. 

^ There are many implementations of the basic arrangement 
disclosed herein. Whether using well known protocols such 5 
as NOME and XML or proprietary protocols, they constitute / 
implementations of the invention, 
^Substitutes for Three-Part Messaging 

The invention is disciissed in terms of a three-part 
message, containing humanly interpretable information, a jq 
relevance clause, and computer interpretable information. 
These three logically connected components need not be 
packaged in the same physical message. There needs to be 
only an association between these parts. For example, the 
ASUP protocol sends abstracts containing only message 
identifiers and the relevance clause separately from the 
message body, consisting of explanatory content, software, 
and references. Under ASUP, relevance evaluation drives a 
second reader-server interaction, where the associated mes- 
sage body is obtained. In other implementations, an even ^ 
looser association between relevance clause and content is 
maintained, where a relevant result initiates exploration of a 
whole sequence of messages. 
Substitutes for Relevance Language 

The relevance language is a convenient means of describ- 25 
ing the state of a consumer computer and its environment. 
However, other languages can be modified into forms which 
enable computed-rclevance messaging. 
JAVA Model 

The JAVA programming language is a well known and 3Q 
widely available tool for specifying computations. 

In one embodiment of the invention, the role of the 
relevance language is played using software tools imple- 
mented in the JAVA programming language. Owing to the 
popularity of JAVA this might find wide acceptance among 35 
software developers and other computer professionals. 

In the currently understood best method of developing 
this implementation, a special variant of JAVA, 
RELEVANCE-JAVA is developed, with its own specialized 
resources and evaluated by a specialized variant of the JAVA 
madiine. The intent of this special version is to provide 
some of the same privacy and security characteristics as the 
relevance language described earlier. RELEVANCE-JAVA 
supplies three specific features which make it very useful: 
Specialized inspector libraries. Special JAVA objects and 45 
classes developed to enable the determination of prop- 
erties of the consumer computer. These inspect file 
system, system settings, and related properties of the 
computer and its environment. This is effected by 
turning on certain features in the JAVA virtual machine 50 
which enable access of machine characteristics. 
Privacy Restrictions. While RELEVANCE-JAVA is able 
to learn a great deal about the user machine, it does not 
have the ability to transmit any gathered information 
back to the author. This is effected by limiting the 55 
installed objects and classes and turning off certain 
features in the JAVA virtual machine. 
Security Restrictions. While RELEVANCE-JAVA is able 
to learn a great deal about the user machine, it does not 
have the ability to modify the machine, ie. to modify 60 
files and to affect the system settings. 
The three part messaging model described above is con- 
ducted as follows: One part consists of humanly interpret- 
able explanatory content; one part consists of 
RELEVANCE -JAVA code specifying conditions under 65 
which a message becomes relevant on certain consumer 
madiines; and one part of computer interpretable code, 
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perhaps in a different dialect of JAVA, able to cause effects 
on the consumer machine after consumer approval 
Visual Basic Model 

The \^sual Basic programming language is a well known 
and widely available tool for specifying computations. 

In one embodiment of the invention, the role of the 
relevance language is played using software tools imple- 
mented in the Visual Basic programming language. Owing 
to the popularity of Visual Basic this finds wide acceptance 
among software developers and other computer profession- 
als. 

In the currently understood best method of developing 
this implementation, a special variant of \^sual Basic, 
RELEVANT-BASIC is developed with its own specialized 
resources and evaluated by a specialized variant of the Basic 
interpreter. The intent of this special version is to provide 
some of the same privacy and security characteristics as the 
relevance language described earlier. RELEVANT-BASIC 
supplies three specific features which make it very useful: 
Specialized inspector libraries. Special Visual Basic func- 
tions and data types are developed to enable the deter- 
mination of properties of the consumer computer. 
These have the ability to inspect file system, system 
settings, and related properties of the computer and its 
environment. 

Privacy Restrictions. While RELEVANT-BASIC is able 
to learn a great deal about the user machine, it does not 
have the ability to transmit any gathered information 
back to the author. This is effected by limiting the 
installed objects and classes and turning off certain 
features in the BASIC interpreter. 
Security Restrictions. While RELEVANT-BASIC is able 
to learn a great deal about the user machine, it does not 
have the abUity to modify the machine, i.e. to modify 
files and to affect the system settings. 
The three part messaging model is conducted as follows: 
One part consists of humanly interpretable explanatory 
content; One part consists of RELEVANT-BASIC code 
specifying conditions under which a message becomes rel- 
evant on certain consumer machines; and one part of com- 
puter interpretable code, perhaps in a different dialect of 
Visual Basic, able to cause effects on the consumer machine 
after consumer approval. 
UNIX Model 

The UNIX Shell, in its variant implementations, may be 
viewed as a scripting language, a well known and widely 
available tool for examining properties of a file system and 
specifying computations. 

In one embodiment of the invention, the role assigned to 
the relevance language is instead played by software tools 
implemented in the UNIX shell and associated UNIX Tools. 
Owing to the popularity of UNIX in its variant forms, this 
might find wide acceptance among software developers and 
other computer professionals. 

In the currently understood best method of developing 
this implementation, a special variant of the UNIX Shell, 
RELEVANT-SheU is developed with its own specialized 
resources and evaluated by a specialized variant of the Shell 
interpreter. The intent of this special version is to provide 
some of the same privacy and security characteristics as the 
relevance language described earlier, RELEVANT-Shell 
supplies three specific features which make it usefal: 
Specialized inspector Applications. Special applications 
are developed to enable the determination of properties 
of the consumer computer. These have the ability to 
inspect file system, system settings, and related prop- 
erties of the computer and its environment. These are 
known to RELEVANT-Shell. 
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Privacy Restrictions. While RELEVANT-Shell is able to 
learn about the user machine, it does not have the 

' ability to transmit any gathered information back to the 
author. This is effected by disabling access to certain 
communications and networking features in the shell 5 
interpreter. 

Security Restrictions, While the applications reachable 
through RELEVANT-SheE are able to learn about the 
user machine, they do not have the ability to modify the 
madiine, i.e. to modify files and to affect the system -^^ 
settings, except through standard mechanisms, such as 
creating temporary files in standard Ibcatioris such as 
tmp and subject to resource metering. 
Tbe three part messaging model is conducted as follows: 
One part consists of humanly interpretable explanatory ^5 
content; one part consists of RELEVANT-Shell code speci- 
fying conditions under which a message becomes relevant 
on certain consumer machines; and one part of computer- 
interpretable code, perhaps in a different dialect of Shell or 
other UNTX-interpretable code, able to cause effects on the 20 
consumer machine after consumer approval. 
Alternate State Description 

The possibility of alternate methods of describing the 
state of the consumer computer is described above. It is 
possible to describe the state without using an overall 25 
relevance language if one has available a community of 
watchers, each with their own peculiar interfaces. The 
relevance language is then replaced by whatever means of 
expression by which the said application modules are 
invoked and controlled. 30 
Relevance -Mediated Processes 

The description of the invention has taken the stance that 
the purpose of relevance evaluation is to mediate the deci- 
sion to notify a consumer about the existence of a message. 
To that end, the advice reader application functions as a 35 
messaging center, and advisories play a role analogous to 
messages in e-mail, USENET news, and other messaging 
modalities, in that they are read by the user as part of a user 
defined schedule. In this viewpoint, the user is a manager of 
his computer, his property, and his aflBliations, and he reads 40 
advice which helps him with his concerns in that managerial 
role. 

However, there are other non-managerial settings in 
which relevance can drive the presentation of information to 
a consumer as an integral part of certain other processes in 45 
which the consxmaer is engaged. 

Guidance, The consumer is the user of a computer appli- 
cations program, and relevance based messaging pro- 
vides guidance to the consumer at the moment before 
performing a certain action or at the moment after 50 
performing a certain action. 
Composition. The consumer is reading a document using 
a display appUcation on the computer, and relevance 
based content adaptation shapes the document so that 
the humanly interpretable message targets directly the 55 
characteristics of the reader. 
In fact, all such applications are embodiments of the 
invention. Computed relevance messaging is of value much 
more broadly than in the managerial mode described above. 
Relevance-Guided Computer Interaction 60 

The following is an example showing how an advisory is 
used to gtiide a user in the operation of a piece of software. 

Consider the following problem: A certain dangerous 
e-mail message has been obtaining wide distribution. When 
received by a user with the e-mail program Eudora 4.0, the 65 
user sees an innocent looking mail message including an 
attachment with an invitation to the user to open the attach- 
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ment. Hie attachment is actually a maliciously prepared 
document which, if opened, can cause damage to the user's 
computer. 

The discussion below describes one implementation of 
relevance based messaging which helps to deal effectively 
with this situation. Under that implementation, an author 
writes an advisory which is evaluated for relevance before a 
user of Eudora opens an attachment. The relevance clause 
inspects various attributes of the contemplated action and 
precisely targets an attempt to open an attachment with 
certain attributes. The advisory then returns text to the mail 
application which the mail application displays to the user. 

In one embodiment, the desired effect may be produced 
using an inter-application communication framework as 
follows: 

The mail reader application has a special collection of 

relevance evaluation events, i.e. predefined events which 

are well known to authors of advisories. 
Whenever one of these events occurs, the mail reader 

notifies the advice reader of the event via a standard event 

notification protocol. 
The advice reader maintains event pools, i.e. advisories 

intended for evaluation upon receiving notice of certain 

events. 

The advice reader evaluates the advisories in an event pool 
upon receiving notice of the corresponding event. 

The advice reader notifies the user of a relevant message by 
either: 

Notifying the user of the application directly, employing 
standard tiser interface devices of the advice reader; or 

Sending the relevant messages to the mail reader. The 
mail reader then displays those messages for the user, 
according to the user interface standards of that appU- 
cation. 

The choice between these methods of notification is made 
under the control of user preferences, author preferences, or 
application defaults. 

This event-driven framework is particularly powerful 
when: 

The application sending an event signal includes descrip- 
tive information about the event. In the mail reader 
context, the event Eudora About to Open Attachment is 
accompanied by information about the sender of the 
mail, information about the name of the attachment file, 
information about the sender of the mail, and informa- 
tion about attributes of the attachment file. 
The advice reader contains an injector library which 
refers to properties furnished by the application, e.g. 
mail sender and file name. 
In this context, if someone wants to warn every user 
receiving mail from king@athens.gr with an attachment 
named trojan.txt that he should not open the attachment, it 
is possible to author a relevance clause targetmg the advi- 
sory to those people about to open such an attachment. The 
routing of advisories to advice event pools is handled 
through the header line mechanism of MIME and the 
message line variations discussed above. A simple header 
line of the form advice-event-pool:, followed by the name of 
a predefined advice event, indicates the desired routing. 
Relevance-Adapted Communication 

The following is an example showing how relevance is 
used to customize the distribution of a body of information 
(see HG. 19): 

Consider the following problem: A certain publisher 
wants to create an electronic document whose content is 
tailored to the reader, for example because it consists of 
advertising which is more suitable for some readers than 



03/02/2004, EAST Version: 1.4.1 



us 6,256; 

89 

Others, or because it consists of technical information which 
is more suitable for some readers than others. However, an 
ideal customization requires intimate knowledge of the 
configuration and details of the consumer's preferences, 
possessions, and affiliations, information which is not likely 5 
to be made available by consumers. 

The discussion below describes an implementation of a 
system using the relevance evaluation components of inven- 
tion. This implementation allows the publisher to create 
relevance adapted documents, allowing solution of the prob- lo 
lem. The publication is distributed as a digital document 
containing embedded within it references to many possible 
variations in content. The selection among possible variants 
is driven by relevance clauses. The components of the 
document that actually appear on the users display are those 15 
which are selected based on intimate knowledge of the 
characteristics of the user. 

The following is one implementation of such a system; A 
certain base document processing target format is chosen. 
Suppose for concreteness this is HTML. A special source 20 
format is then defined, consisting of documents. In the 
present context, this is referred to as PRE-HTML. This 
source format 194 offers the possibility of arranging many 
hierarchically nested fragments of modified HTML in a 
linear order. Each component of such an arrangement is 25 
protected by one or more relevance clauses. The components 
of the source format differ from HTML in that they also offer 
embedded include expressions from the relevance language. 

The advisory author writes the document with relevance 
clauses and inspector clauses 191. To create a custom 30 
document for a specific user, the source format document is 
transported to the user computer 192, and the document in 
source format is compiled into a custom target format 
document 195. The target format document is then pro- 
cessed by the intended target document processing system, 35 
producing a display of a customized document 193. 

The compilation step is the step where the customization 
occurs and bears closer examination. As the source docu- 
ment is processed, various components are encountered. 
Those which are protected by relevance clauses which 40 
evaluate to False or at any rate not to True are discarded. 
They do not appear in the final target format file. Those 
which are protected by relevance clauses which evaluate to 
True are retained. They do appear in the final target format 
file. Each retained component is processed before placement 45 
in the target document file. If any include expressions are 
identified in the file, then those expressions are evaluated, 
and the results are interpolated into the target document file. 

This solves the problem of customized document prepa- 
ration because the relevance language enables the provider 50 
to prepare documents which are customized as if the author 
had access to detailed intimate knowledge of properties of 
the consumer's computer and environment, but it does so 
without the need for the consumer to reveal that intimate 
information to the provider. 55 

This embodiment of the invention posits a provider with 
information which is presented to various consumers in 
precisely defined circumstances, and it uses the relevance 
guarded messaging model described above. Here, the 
gatherer, the watcher, and the notifier have different structtire 60 
than they do in the invention as described above, but at an 
abstract level their functions are similar. For example, the 
tool which compiles a source format dociunent into a target 
format document plays the role of both watdier and notifier 
in the five -part model discussed above, while the target 65 
document processing system plays the role of user interface 
for the notifier. The role of gatherer is played by whatever 
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system or systems bring the source format document into the 
consumer environment. 

There are privacy considerations in this sort of custom- 
ized documentation. The use of HTML as a target language, 
for example, means that there is a possibility of leaks. 

Other implementations of relevance driven document 
customization are possible. For example, one could develop 
a system in which the sotu-ce document is not compiled once 
and for all into a target document in a well known format 
but, rather the source document is structured for interactive 
interpretation. The following is an example: A source docu- 
ment consists of many pages of PRE-HTML Embedded in 
the source document are conditional compilation blocks 
protected by relevance clauses, and include expression sub- 
stitutions using the relevance clauses, as described before. 
As the viewer goes through the document from page to page, 
each page is compiled from PRE-HTML to HTML and 
displayed as needed. Under this model, the user's path 
through the document is determined only at run time. For 
example, certain links in the document are relevance pro- 
tected. The relevance expressions refer to attributes of the 
environment that arc changing as the reader progresses 
through the document, i.e. they are changing because the 
reader is progressing through the document. For example, a 
reader is prompted for information as part of his reading of 
the document and, as a result of the prompt, a site profile 
variable changes, causing pages visited later in the reading 
to change as a result. 
Remote Access to Personal Information 

The invention makes it possible for an advisory author to 
target situations based on an arbitrary combination of com- 
putationally verifiable conditions of the consumer computer 
and its environment. This environment may include data 
which may be of a personal nature. To the extent that certain 
kinds of personal data may be widely assumed to exist in a 
standard format on a substantial population of personal 
computers this creates the possibility of the invention being 
used to advise a substantial population of individuals on 
issues of a personal nature. Natural applications areas 
include: 

Personal Finance: If information about individual finan- 
cial assets is assumed to exist on the consumer com- 
puter or in its environment in a standard format on a 
large collection of consumer computers, then advice 
authors can provide a large body of individuals timely 
and relevant advice about their bank account manage- 
ment or about their investment portfolio. 

Personal Health Issues: If information about individual 
medical records is assumed to exist on the consumer 
computer or in its enviroiunent in a standard format on 
a large collection of consumer computers, then advice 
authors can provide a large body of individuals timely 
and relevant advice about dmg interactions, or about 
interactions between genetic or blood type information 
and drugs. 

This creates an unprecedented opportunity, i.e. the ability 
to offer highly targeted advice without compromising indi- 
vidual privacy. Although the advice author is authoring 
detailed assertions about the finances or health of the 
consiuncr, and although it requires intimate knowledge of 
sensitive personal information to evaluate those assertions, 
the system itself is not reveahng this information back to the 
author. The consumer may, in some circimistances, choose 
to reveal such information after reading a relevant advisory. 

Such applications are limited by the need for consumers 
to capture and maintain accurate data in a standard format 
about items which concern the consumers and which are 
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accessible in a means well known to advice providers. It 
would be highly desirable to remove the data management 
and data input burden under this arrangement, so that 
consumers are not required to become data managers. In 
particular, it would be highly desirable for the professional 
organizations responsible for maintaining acciuate data 
about their customers to be the locus of responsibility for 
data integrity. For example: 

Pharmacies maintain records about their customers. 

Doctors maintain records about their patients. 

Financial institutions maintain records about their clients. 

These actors are paid, in part, for keeping accurate and 
timely records about their patients, customers, or clients. 

It would be highly desirable for consimiers to have access 
to some key information that is maintained for them by the 
professional organizations with which they are affiliated. For 
example: 

Instead of a consumer entering into his computer data 
about his drug prescriptions, it would be desirable for 
the needed data to be obtainable from the pharmacy 
automatically on demand by the consumer computer. 

Instead of a consumer entering into his computer data 
about his stock portfolio and manipulating it daily, it 
would be desirable for any needed data to be obtained 
from the financial institution automatically on demand 
by the consumer computer. 

Instead of a consumer entering into his computer data 
about his health records and manipulating the data as 
they change, it would be desirable for any needed data 
to be obtained from the medical institution automati- 
cally on demand by the consumer computer 

The following is a solution to this problem using the 
invention: 

A standard collection of remote medical records 
inspectors, remote financial records inspectors, and 
remote drug prescription inspectors is developed, and 
their syntax and use is published. These inspectors have 
both server side components and client side 
components, to be described later. ^ 

Advice authors write advice concerning various issues 
associated with such personal information. 

Certain doctors, financial institutions, and pharmacies 
install server side components at computers in their 
offices. They advertise to the public the availabiUty of 45 
remote information access. 

The consumer who is interested in benefiting from advice 
written using remote information access approaches the 
financial institution, doctor, or pharmacy and autho- 
rizes participation of his own information in the server 
software. 

The consumer subscribes to certain advice sites whose 
advice includes advice making use of the remote 
inspectors. The subscription is initialized appropriately 
so that the consumer computers advice reader make use 
of the information. 

Such advice is periodically evaluated according to the 
advice pool in which the advice is placed. Evaluation 
causes the consumer computer to establish connections 
to remote computers to obtain needed information. For 60 
example, the remote drug prescription inspector library 
on the consumer machine establishes a connection with 
the pharmacy information server and performs certain 
queries to check if the consumer has certain problem- 
atic prescription combinations. 65 

The following is an example of an advisory that is written 
using this system: Suppose that a certain pharmaceutical 
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manufacturer provides an antidepressant dmg to its patients, 
and that it is discovered that patients who also use a certain 
anti-inflammatory may experience difficulties. In practice, 
one prescription might be due to a psychiatrist and the other 
by an orthopedist who might not be aware of the patient's 
other medical prescriptions. The manufacturer authors an 
advisory referring to the dangerous combination as follows: 

exists pharmacy prescription "Xanax** and exists phar- 
macy prescription "Buterin'* 

The manufacturer includes a description of the potentially 
dangerous combination for a message body. When the 
advice reader on the consumer computer encounters this 
relevance clause, it contacts the pharmacy server with que- 
ries for pharmacy prescription Xanax and pharmacy pre- 
scription Buterin. It determines the relevance of the advisory 
based on this. It notifies the consumer of the situation if it 
turns out to be relevant. 

An important issue in determining the consumer accep- 
tance of this system is the ability of the system to protect 
consumer privacy. To this end, the interaction between client 
and server is carefully protected: 

The connection between consumer client and pharmacy 
server is secured by standard cryptographic means (e.g. 
SSL protocol). 

The identity of the cUent requesting the information is 
authenticated by the pharmacy server by standard cryp- 
tographic means. 

By these devices, the pharmacy server avoids revealing 
information about a person except to the advice reader on 
that person's computer. The advice reader on that person's 
computer does not reveal information so received, at least 
under ordinary operations. 

The following is a convenient interaction protocol for 
such remote inspectors. In this protocol, it is simple to make 
the client side software. The cHeot transmits, over a secure 
link, ASCII strings describing the queries exactly as they are 
described in the surface language. In the above example, the 
client transmits pharmacy prescription Xanax." The server 
parses this using a miniature version of the relevance clause 
parser evaluator. The server knows that this clause refers to 
the prescription records of Joseph A Patient because of the 
initial authentication work and, using standard database 
inquiry methods, searches the pharmacy database for an 
entry indicating that Mr. Patient had a pharmacy prescription 
to Xanax. The server then returns True or False as an ASCII 
string, and the client parses this string and remrns the 
corresponding Boolean to the advice reader. 
Bi-Dircctional Communications 

An intent of the invention is to allow only one way 
communication, taking information from advice provider to 
advice consumer, but not allowing information to leak back 
from consumer to provider. The phrase one way membrane 
evokes this. 

However, there are numerous situations where this model 
is restrictive. For example, in certain situations consumers 
are willing to cooperate with providers, particularly when 
they receive a benefit from cooperating. An example is when 
consumers want to get technical support to solve a specific 
problem which existing advisories do not address. For the 
sake of solving their problem, they are willing to disclose 
various pieces of information about their configuration to the 
solution provider. In other situations, advice consumers 
subscribing to a certain site are actually employees of the 
organization which operates the advice site, and so they are 
wilhng to share infonnation with that particular advice 
provider. 
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Open Bi-Directional Communications OSVersion: 1.0 

The phrase open bidirectional communications refers to a RAM: 64 M 

setting where the invention is run and the communications Disk: 2 G 

arc typically one way, but occasionally there are processes The user may be shown the results of the include process 

which feed back information to the advice provider, and the 5 and given a chance to inspect the results and to relay the 

process takes place in the clear with the consumer computer resxdts to the advice provider. In one implementation, the 

identity explicitly available to the provider. results are presented to the user as part of a mailer window, 

Questionnaires showing the intended recipient of this information 207, and 

In one implementation (see FIG. 20), a particular docu- with a button at the bottom marked Send It 208. 
ment type is defined, referred to as a questionnaire 200, lo this device, the relevance language simplifies corn- 
containing text together with comments, together with dis- munications between advice provider and advice consumer, 
tinguished Include-Expressions. Suppose, that Include- ^°^g mspectors to gather mformation needed by Oie 
Expressions are delimited by double Dollar Signs as in $$. f^^^^^^ f^^^^^!' is difficult for consumers to gather for 
The Include-Expressions are written in the relevance themselves. The provider is he ped because it quickly and 
, j j. accurately obtains mformation that may be essential in the 
language, and need not evaluate to True or False. For 15 t.^h^jcd Support process, and the customer is helped 
example, they are stnng- or mteger-valued. Suppose also ^^^^^^^ process removes a burden which he would have 
that comments are preceded by %-signs. ^^^^ ^^^^^ reporting it accurately. 
An example questionnaire is: p^j method to woric it must have consumer accep- 
% Data needed by ABC Corporation to tance. Consumers are sensitive to the possibility of ques- 
% Diagnose the XYZ Problem ^ tionnaire spoofing, where a questionnaire purports to gather 

T , cji 4 *- information of one kind, e.g. CPU type, while actually 

Inventory of User Computer Configuration: ^, . . c ^ i_ * i - j attoa j 

r "& gathenng information about another kind, e.g. VISA card 

Computer Manufacturer: $S Manufacturer of Computer number or passwords. 

$$ One technique to further consumer acceptance is for a 

Model: $$ Model of Computer $$ 25 privacy ratings service at a central site to certify question- 

OSVersion: $S version of Operating System $$ naires as being in accord with privacy standards when they 

RAM: $$ System Ram $$ appropriate implementatioos of the random^d response 

protocol. Under existing Web protocols (see Khare, Rohit 
Disk: $$ size of boot volume $$ .^ggy. j^-g.^^ Signature Ubel Architecture, The World 
-niis questionnau-e contams text, such as computer 3^ ^.^^ j^^^ Journal, Summer 1997, Vol. 2, Number 3, pp. 
manufacturer, as well as Include-Expressions, such as manu- ^g,^^^ q^^-jj sebastopol, Calif., hllp://www.w3.org/ 
facturer of computer. The intent of the questionnaire is that pgj^) (here is a method for the establishment of ratings 
information about the type of computer and about certain ^^^^^ ^^-^^ ^^^^^^ ^^ify that certain messages 
features be coUected by the advice reader using its rich j^^^^ ^^^^ properties. The credibility of such assertions, 
library of inspectors. 35 I ^ ^^^y actually made by the service and not by an 
The following is an example showmg how quesUonnaires impostor, is based on deployment of standard authentication 
are used: A questioMaire such as that above is authored by encryption devices. Applying this technology, a privacy 
an advice provider 200 and is mserted mside the soluUon ^^^^^ ^^^^ ^ established at a central site, e.g. Better 
component of an advisory as a MIME component with ^^^^ Bureau.org, to certify that certain questionnaires 
distinctive content-type 201. The consumer sees a relevant ^^^^ information in a fashion generally accepted as appro- 
advisory 202, accompanied by humanly mterpretable con- ^^^^^ advertised task, and the information is used by 
tent The humanly inleipretable content says: soUcitor in a manner to protect individual identity. 
You have the XYZ situation. In order to help you, we at Advice authors seeking certification of the privacy respect- 
ABC Corp. need some information about this ing character of their questionnaires submit those messages 
situation — information about your system setting. This 45 to the certification authority, which studies the messages 
information can be automatically gathered for you if and, at its option, agrees to certify some of those messages 
you*llpush the buttonon the leftbelow.You'Ube given as privacy respecting. In one embodiment of the invention, 
a chance to review the information and then to approve the user interface of the advice reader or similar component 
its transmission to ABC Corp. jg configured to permit questionnaires to be displayed to 
Below the advisory are two buttons: one saying Gather 50 users only when they have been credibly certified by a 
information and the other saying Review Request The first trusted privacy ratings service, 
button signifies approval to gather the information; the Mandatory Feedback 

second button signifies a request to view the source file of jn one embodiment of the invention (see FIG. 21), open 

the questionnaire and thereby learn more about the provid- two-way communication is possible for the purposes of 

er's request to gather data. 55 maintaining a relationship with a certain trusted provider. 

If the user approves 203, the relevance clauses in the This assumes a consumer situation different from the 

questionnaire are evaluated 204, for example using various usual invention setting. In this variant setting, certain kinds 

inspectors 205, 206, and the corresponding results are of advice providers enjoy a special status, for example as 

included in the result where the relevance clauses had been. employers or contractors, which allows them certain coer- 

In the case of the previous example, this process produces: civc privileges not ordinarily enjoyed by advice providers in 

% Data needed by ABC Corporation to other settings. These overlord advice sites 210 publish 

% Diagnose the XYZ Problem advisories that are gathered by a reader 211, which then 

Inventory of User Computer Configuration: P^^^^™^ ^ relevance evaluation on the advisory 212. Rel- 

evant messages are displayed 213 to the user and the user 

Computer Manufacturer: Toshiba ^^^^^^^ ^^^^ ^^^^^^ 214 as recommended by 

Model: T1200 the advisory. A feedback path 216 enables user actions to be 

OSType: Windows 98 reported 215 to the overlord advice site. 
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In this embodiment, any of the following options may be Message headers contain no information uniquely identify- 

exercised: ing the respondent; 

Certain advice site subscriptions are mandatory; Message bodies themselves contain no information uniquely 

Certain advice cannot be deleted by the user, advice by identifying the respondent; and 
certain providers is not subject to user scheduling, S The process has these components: 

prioritization, or deprecation; An advice provider 231 authors a document such as a 

Certain advice generates automatic feedback from the user questionnaire as described above, for gathering infor- 

to the provider, concerning some or all of: mation automatically or an HTML form for gathering 

(a) The consumer computer's identity; information by consumer interview. The user's advice 

(b) The relevance status of a certain advisory on that reader 232 gathers this information, 
computer; and Upon determining relevance 233: 

(c) The fact that a user has/has not taken a certain If the document is a questionnaire, the advice reader fills 
recommended solution in a certain advisory. in the appropriate include fields. 

The feedbadc is transmitted by e-mail or by other con- If the docimient is an HTML form, the consumer fills in 

venient electronic means. the appropriate survey questions. 

In this setting, a manager of many computers can: jhe document is e-mailed to the provider via anonymous 

(1) write advisories destined to many machines he is routing along feedback paths 235, 236 through a certain 
managing; centralized site, e.g. the Better Advice Bureau, 

(2) expect that the machines all receive the advisory; and 20 advisories.com, or anodier site 230 offering identity 

(3) expect to receive, in return, information about the protection via anonymous remailer or fimctionally 
relevance and/or solution status of the advice on all ^^^P^^* . . . . 
those machines ^^^S® process removes mformation about 

TOs set of fimctions may be implemented by modifying ^^^""^^V of the consumer, by stripping such identity from 
the basic advice reader architecture discussed above (see 25 the message headers. Consumers are expected to have 

FIG 22) confidence m the fundamental validity of this approach 

Advice sites 220 may be given a special overlord status (as ^^^^^^^ ^dcistand that the centraUzed site has an 

discussed above in connection with FIG. 21) by config- ^^^^^^^^ ^ P^°^^^ ^'^&''y °f t^ie process, 

uring the subscription manager of die advice reader to ^hc consumer himself is responsible for cnsurmg that the 
enable such special status. 30 message body is free of identifying information. For 

Anew message line type, Mandated-Action, is instituted and example, if the a)nsumer responds to an HTML forni asking 

is used by advice sites with overlord status to label a address, then he is not protectmg his own 

message component with a special keyword phrase as ^^^^^i^^" ^[^^ consumer forwards a questiomiaire contam- 

invoking a certain coercive privilege: identifymg information, such as IP address, then he is 

Not user deleteable labels a message as not deletable by one ^em^en^^^^ protects his privacy 

the user through the advice reader user mtcrface 221; ^^j^ ^^^^ ^ ^^^^^^ ^^^^^^ ^ ^^^^^ 

On relevance 222, Evaluate questionnaire 223 and mail Under existing internet protocols (see Khare, Rohit, Digital 

back 224 labels a message as requuing immediate Signature Label Architecture, ThtV/oTldV^id& V^Gb JoMrmi, 

notification 225 of the author via a feedback path 226 Vol. 2, Number 3, pp. 49-64, OReilly (1997) http:// 

upon relevance, the notification involving first process- www.w3.oig/DSIG) there is a method for tiie establishment 

ing of a questionnaire filling in the various include of ratings services which reUably certifies that certain mes- 

fields and second transmitting the information to the ^^ges have certain properties. The credibility of such 

^^^^^''i assertions, i.e. that they are actually made by the service and 
Mail back on user acceptance labels a message as requir- 45 not by an impostor, is based on deployment of standard 

ing immediate notification of the author upon user authentication and encryption devices. Applying this 

accepting a proposed action by selecting the action technology, a privacy ratings service is established at a 

button of an associated advisory; central site, e.g. Better Advice Bureau.org, to certify that 

Mail back on user refusal labels a message as requiring certain questionnaires do not contain devices soliciting 
immediate notification of the author upon user accept- 50 sensitive information. Advice authors seeking certification 

ing a proposed action by selecting the action button of of privacy respecting character of their messages submit 

an associated advisory. The advice reader is modified in those messages to the certification authority which studies 

the appropriate way to carry out the indicated function the messages and, at its option, agrees to certify some of 

when a message with overlord status is received and those messages as privacy respecting. In one embodiment of 
processed. SS the invention, the user interface of the advice reader or 

Masked Bi-Directional Communications similar component is configured to permit questionnaires 

It is possible to enable bidirectional communications and forms to be displayed to users only when they are 

while preserving some degree of privacy protection by credibly certified by the privacy ratings service, 

masking the identity of the respondent. Masking Via Randomized Response 

Masking Ma Anonymous Communications and Privacy 60 one implementation, an advice provider obtains 

Ratings detailed information from consumer computers while 

In one implementation (sec FIG. 23), an advice provider enabhng consumers to protect their own privacy. This 

231 obtains detailed information from consumer computers embodiment of the invention limits the scope of commum- 

while communicating with consumers anonymously, thus cations so that when messages return to the advice provider: 
enabling consumers to protect their own privacy. This 65 Message bodies themselves contain no information which 

embodiment of the invention limits the scope of communi- can be reliably inferred to reflect the true state of the 

cations so that when messages return to the advice provider: consumer's computer or environment 
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In certain embodiments, the technique is supplemented by 
the use of centralized anonymous communications and 
centralized privacy certifications. 
The process has these components: 
An advice provider authors a document similar to a 
questionnaire as described above, for gathering infor- 
mation automatically, however obeying additional con- 
straints. 

The advice reader fills in the appropriate include fields, 
randomly changing the answers, and changing the 
correct answers to incorrect answers, depending on a 
random mechanism. 

The resulting docimicnt is returned to the author. 

In one implementation, the process by which the infor- 
mation is returned is made anonymous. The document is 
addressed to a certain centralized site, e.g. the Better Advice 
Bureau, or advisories.com, or another site offering identity 
protection via anonymous remailer or functionally equiva- 
lent services. This final stage of this process removes 
information about the identity of the consumer by stripping 
such identity firom the message headers. 

The following discussion describes the concept of ran- 
domly changing the answers in more detail: Suppose that 
only questionnaires with Boolean values are allowed, 
although more general questionnaires are allowed with extra 
work. The relevance evaluation component of the advice 
reader evaluates the Boolean expressions indicated in the 
include fields. However, it does not always insert the result 
in the outgoing message. Refer to R as the value obtained by 
relevance evaluation. Instead of always substituting a rep- 
resentation of R in place of the include field, the advice 
reader conducts a two stage stochastic experiment. At the 
first stage, it obtains a random Boolean X from a random 
number generator, the random Boolean being equally likely 
to be True of False. The value of X is kept private, and drives 
a decision at the first stage. In this decision, if X is True, the 
decision is taken to insert a representation of R in the include 
field. If X is False, the decision is taken to obtain a second 
Boolean Y, again equiprobable, and to insert a representation 
of Y in the include field. As a resxilt, in any specific message, 
it is impossible to say whether the answer obtained at the 
relevance evaluation stage (R) is True or False on the basis 
of that message alone because the reported value is equally 
likely to be R or Y, and the variable X driving the choice 
between R and Y is not divulged. 

This provides a degree of privacy protection for the 
consiuner. 

At the same time, this randomized response communica- 
tions protocol makes it possible for the questionnaire author 
to obtain information reliably about the population of users 
while not revealing information about specific users. If k 
denotes the fraction of users in the sample with a certain 
characteristic, and p denotes the fraction of True responses 
received, then: 

E(p)-y4+nn 

where E(.) denotes mathematical expectation. 

From p-E(p) (the law of large numbers), k can be 
estimated by: 

For example, if 61% of the responses are Tme, one 
estimates that 72% =2(61% -25%) of the sample has the 
given characteristic. 

There are extensions of the method to non-Boolean vari- 
ables and to multiple item responses. 
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For this method to work it must have consumer accep- 
tance. One technique to further consumer acceptance is for 
a privacy ratings service at a central site to certify messages 
as being in accord with privacy standards when they are 

S appropriate implementations of the randomized response 
protocol. Under existing internet protocols (see Khare, 
Rohit, Digital Signature Label Architecture^ The World 
Wide Web Journal, Vbl, 2, Number 3, pp. 49-64, Oreilly 
(1997) http://www.w3.org/DSIG) there is a method for the 
establishment of ratings services, which reliably certifies 
that certain messages have certain properties. The credibility 
of such assertions, i.e. that they are actually made by the 
service and not by an impostor, is based on deployment of 
standard authentication and encryption devices. Applying 
this technology, a privacy ratings service is established at a 
central site, e.g. Better Advice Bureau.org, to certify that 
certain questionnaires use randomized response techniques 
appropriately and protect individual identity. Advice authors 
seeking certification of the privacy respecting character of 
their messages submit those messages to the certification 

20 authority which studies the messages and, at its option, 
agrees to certify some of those messages as privacy respect- 
ing. In one embodiment of the invention, the user interface 
of the advice reader or similar component is configured to 
permit questionnaires and forms to be displayed to users 

25 only when they have been credibly certified by the privacy 
ratings service. 
Network Management 

The following discussion describes two important varia- 
tions of the basic invention which are useful in problems of 

30 network management, i.e. management of large networks of 
computational devices. 
Mandatory Advice 

In the basic description of the invention, it is assumed that 
advice is offered as a convenience to a human consumer who 

35 acts in a managerial role to read and act appropriately at his 
option (see FIG. 24). 

There are settings where the basic communications model 
described earlier can be usefully modified so that there is no 
user review of certain advisories. As an example of one such 
setting, a network administrator 240 supervises a large 
network of conmiunicating computational devices, each one 
in a potentially different and dynamically changing state. 
The network administrator wants certain devices to perform 
a certain operation, but does not know which devices those 

45 are. 

In this setting, it is valuable to have an advice reader 
program 241 which obtains and reviews 242 advisories, but 
which automatically applies the indicated solution operator 
244 when relevance 243 is determined. This enables the 

5Q network administrator to write a general advisory targeting 
many machines but not knowing in advance which machines 
those turn out to be; and obtain the desired functionality on 
those machines. A solution or communications log 245 may 
optionally be mailed back to the network administrator via 

55 a feedback path 246. 

Examples of scenarios where this functionality is useful 
include: 

Target all machines whose security settings do not match 
a certain administrator defined standard. Reimpose the 
50 required settings on all such machines. 

Target all machines with a copy of a certain file. On such 

madiines, replace the file with an updated version. 
Target all machines which have less than a certain amount 
of free space on local disk. On such machines, purge 
65 the tmp volume. 

Other examples can be supplied, including examples 
outside the technical support application. For example, in a 
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setting where office appliances are computational devices, 
network management involves tasks concerning the main- 
teaance and monitoring of assets and their use. 

In the currently understood best inaplementation of this 
variation, there are several changes to the invention: 5 
The advice reader is implemented as a faceless applica- 
tion with no user interface component. 
The advice reader typically receives advisories by mes- 
saging mechanisms alternative to the usual subscription 
model, for example by e-mail or other diffusion mecha- 
nism. 

The message format omits the humanly interpretable 
content. 

The message format includes a message component con- 
taining a sofUvare tool, such as a script or executable 
binary, or a reference to a software tool, such as a URL 
or a file system pathname, providing functionality to be 
invoked automatically in case a certain condition 
becomes relevant. 2o 
Certain features may be included in this variant: 
Security Feature. The advice reader includes an authen- 
tication feature to verify the identity of the advice site 
attempting to exert coercive privilege. 
Bi-directional Communication Feature. The advice reader 25 
includes the ability to communicate back to the advice 
Author wheo the advice Author requires this, as indi- 
cated by a Mandated-Action: message line. 
Master-Slave Configuration 

In the description of the invention, it is assumed that 30 
advice is offered as a convenience to a human consumer, 
who acts in a managerial role to read and act appropriately 
at his option. In the description, it is assumed implicitly that 
the consumer is the manager of a personal computer and its 
environment. 35 

There are settings where the basic communications model 
described earlier can be usefully modified to reflect the 
needs of managers of large collections of computational 
devices. As an example of one such setting (see FIG. 25), a 
network administrator 250 supervises a large network of ao 
communicating computational devices 251-253, each one in 
a poteaiiaUy different and dynamically changing state. The 
network administrator wants to have an advice reader which 
functions as a master reader 254, in which each entry he sees 
in the master user interface summarizes the relevance status 45 
of advice on many machines 255, 256 simultaneously. This 
allows the manager to overview 257, 258 and to make 
decisions about accepting or rejecting advice on many 
machines at once. 

In this setting, the network administrator's workstation is 50 
a master machioe and the computational devices he manages 
are slave machines. It is very desirable to have a master 
advice reader program running on the master machine and 
which obtains advisories, and which then commimicates 
with the slave machines, each one running a slave relevance 55 
evaluator and slave action implementer, and which summa- 
rizes the results of the interaction. These slave relevance 
cvaluators accept messages bom the master advice reader. 
The messages consist of wrapper information and individual 
relevance clauses. The slaves evaluate the relevance clauses 60 
in the environment defined by their machines and transmit 
the resulting values to the master. The master reader then 
studies the results so obtained and, according to a special 
master user interface, presents to the network administrator 
a summary of master relevant messages. A message is 65 
deemed master relevant if the associated relevance clause is 
true on any slave machine. The network administrator 
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Studies the master relevant messages and may accept the 
proposed actions associated with some of them. When he 
does so, the master reader communicates with the slave 
action cvahiator on slave machines on which a relevant 
result is obtained, relaying the recommended action part of 
the advisory, and indicating that the action should be taken. 
Each slave action evaluator contacted in this way then 
applies the indicated solution within the environment pro- 
vided by that machine. 

In this setting, a network administrator subscribes to 
advice and plays the role of managing the advice process in 
place of all the users of the slave machines. If a piece of 
advice, when relevant under the ordinary invention, suggests 
to a user that certain software should be updated on that 
user's machine, then the same advice is presented to the 
network administrator instead when some machine on the 
network should have an update, and it effectively proposes 
that the corresponding software on every such machine be 
updated. 

In the currently understood best implementation of this 
variation, there are several changes to the usual invention 
model: 

The slave relevance evaluator and slave action implemen- 
tor arc implemented as faceless applications with no 
user interface component. 

The slave relevance evaluator and slave action implemen- 
tor typically receive advisories by messaging mecha- 
nisms alternative to the usual subscription model, for 
example by e-mail or other diffusion mechanism. 

The message format for communications between master 
reader and slave relevance evaluator omit the humanly 
interpretable content. 

The message format for communications between master 
reader and slave action implementor include a message 
component containing a software tool, such as a script 
or executable binary, or a reference to a software tool, 
such as a URL or a file system pathname, providing 
functionality to be invoked automatically. 

In addition, certain variations may be exercised as well. 
The slave advice evaluator and slave action implementor 
include cryptographic authentication features to verify the 
identity of the master attempting to exert coercive privilege. 

Owing to the difference in outlook that a network admin- 
istrator has, the Master user interface has features not 
ordinarily available in the invention. These include: 

Machine List Display. To display a list of all the machines 
on which a given advisory is relevant. To decorate this 
list by including other characteristics of the machines. 

Machine list Filtering. To apply selection mechanisms to 
the list of relevant machines, allowing to apply the 
recommended action only to a selected subgroup of 
machines within the relevant group. Particularly useful 
Ls the ability to intersect a list of machines with a 
predefined list, e.g. a list of machines in a certain 
operational division, a list of machines in a certain 
location, or a list of machines arising as relevant in 
some other advisory. It is also important to allow the 
list of machines to be expanded beyond the relevant 
machines, allowing both editing by hand or concatena- 
tion with some other list of machines, for example a 
predefined list, or a list of machines relevant for some 
other advisory. 

The logical stmcturc described is that of a single body of 
advisories evaluated for relevance in a collection of different 
contexts, where the results in all those different contexts are 
gathered together in one single master user interface. This 
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logical structure makes sense in other settings. For example, 
in the example of drug interactions discussed above, the 
pharmacist is an administrator, the body of advisories that he 
has received from pharmaceutical manufacturers are a body 
to be applied in many different contexts, and each of his ^ 
customers database records provide a unique context for 
interpretation of the advisories. Here, the context is not of 
individual machines but individual records in a database. 
The master user interface is the basis for another variation of 
the invention, i.e. operating with a specialized database 
inspector, the master advice reader obtains a List of all the 
patients for each advisory for whom a given advisory is 
relevant. The user interface displays only master-relevant 
information to the pharmacist, i.e. advisories relevant for 
some patient in the database. The pharmacist then views the 15 
relevant advisories and inspects a list of associated patients. 

Although the invention is described herein with reference 
to the preferred embodiment, one skilled in the art will 
readily appreciate that other applications may be substituted 
for those set forth herein without departing from the spirit 
and scope of the present invention. Accordingly, the inven- 
tion should only be limited by the claims included below. 

What is claimed is: 

1. A communications system, comprising: 

an advice provider which broadcasts information over a 
communications meditun; 

an advice consumer for gathering said broadcast infor- 
mation from said commiinications medium; and 

a reader associated with said advice consumer for deter- 
mining relevance of said broadcast information further 
comprising: 

a means for providing relevant information to said 
advice consumer without revealing any aspect of 
said advice consumer's identity to said advice pro- 
vider; 

wherein said advice consumer is advised of said infor- 
mation only if said information meets certain predeter- 
mined relevance criteria; 

wherein relevance of said information to said advice 
consumer is based upon any of the properties of an 
advice consumer's computer, said computer's contents 
or state, or the properties of a local environment 
associated with said computer; 

wherein said advice consumer maintains anonymity, 
privacy, and security by not revealing to said advice 
provider either that said advice consumer is interested 
in information from said advice provider, that said 
advice consumer has received any particular message, 
or that said information is relevant to said advice 
consumer; 

wherein said information being broadcast may consist of 
any of humanly-interpretable content, data, or software 
tools; and 55 

wherein said advice provider specifies an audience for 
whom said information is potentially relevant by refer- 
ring to properties of an advice consumer which arc used 
to determine the relevance of said information to said 
advice consumer. 60 

2. The system of claim 1, wherein relevant information 
may be presented to said advice consumer for review and 
action, or it may be acted on automatically. 

3. In a system including computational devices connected 
by a communications network, a communications apparatus 65 
for linking an information provider to information 
consumer, comprising: 
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specific units of advice to be shared; 

an advice provider for broadcasting said advice in the 
form of advisories comprising digital documents con- 
veying said advice and containing an explanatory com- 
ponent describing in terms said advice consumer can 
easily understand the reason that said advisory is rel- 
evant and the purpose and effects of the action which is 
being recommended to said advice consumer; 

an advice consumer for receiving said advisories; 

wherein advisories are broadcast over said communica- 
tions network from said advice provider to said advice 
consumer; 

a communications protocol for narrowly-focused target- 
ing of said advisories to said advice consumer by 
automatically matching advisories with an advice con- 
sumer for whom said advisories are relevant; 

an advice reader associated with an advice consumer 
computer for performing relevance determination 
based on a combination of conditions, including any of 
hardware attributes, configuration attributes, database 
attributes, environmental attributes, computed 
attributes, remote attributes, timeliness, personal 
attributes, randomization, and advice attributes further 
comprising 

a gatherer for gathering advisories to which said advice 
consumer subscribes; 

a subscription manager for entering subscriptions to 
advisories based on information in at least one 
advice consumer site definition file; 

an unwrapper for parsing said advisories; 

a module for determining the relevance of said 
advisories, said determination being made either 
continuously, at scheduled intervals, or under user 
manual control; 

a user interface that receives relevant advisories; and 

a display and management system that displays rel- 
evant advisories for inspection by said advice con- 
sumer; 

wherein any information that is actually on said advice 
consumer computer or reachable from said advice 
consumer computer may be used to determine rel- 
evance; and 

wherein said advice reader operates automatically to 
determine relevance. 

4. The apparatus of claim 3, further comprising: 

a display for presenting said advice consumer with rel- 
evant advisories only, wherein said advice consumer is 
not burdened with irrelevant advisories. 

5. A communications apparatus, comprising: 
an advisory comprisuig: 

a relevance clause comprising an assertion about the 
state of an advice consumer computer, its contents, 
or environment which can be automatically evalu- 
ated by comparing said assertion with said advice 
consumer computer's actual state; 
a message associated with said relevance clause whose 
suitabiUty for the consumer is determined at least 
partially by the evaluation of said relevance clause; 
a gatherer for assuring that relevance clauses flow into 
said advice consirmer computer from various locations; 
a watcher for evaluating relevance clauses by comparing 
them with an actual state of an advice consumer 
environment, and by inspecting properties of said 
advice consumer computer and its environment and 
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checking if these point towards or away from rel- 
evance; and 

a notifier for displaying messages to an advice consumer 
under at least partial guidance of an eval;iated rel- 
evance clause 5 
wherein said advisory further comprising any of: 

a wrapper for packaging information in said advisory 

for transport and subsequent decoding; 
a from line for identifying an advice author; 
a subject line for identifying the concern of said advi- 
sory; 
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a relevance clause for specifying conditions under 

which the said is relevant; 
a message body for providing explanatory material 

explaining to said advice consumer what condition is 

relevant, why said advice consumer is concerned, 

and what action is recommended; and 
an action button for providing said advice consumer 

with the abUity to invoke an automatic execution of 

a recommended action. 
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